Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug - The Hacker News
The Hacker NewsArchived May 19, 2026✓ Full text saved
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug The Hacker News
Full text archived locally
✦ AI Summary· Claude Sonnet
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
Ravie LakshmananMar 28, 2026Vulnerability / Network Security
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
"We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild," Defused Cyber said in a post on X. "Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots."
This is likely an attempt on the part of threat actors to determine if NetScaler ADC and NetScaler Gateway are indeed configured as a SAML IDP.
In a similar warning, watchTowr said it has detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that in-the-wild exploitation can happen anytime.
"Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately," the company said. "When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate."
The vulnerability affects NetScaler ADC and NetScaler Gateway versions before 14.1-60.58, 14.1 before 14.1-66.59, and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
In recent years, a number of security vulnerabilities affecting NetScaler have come under active exploitation in the wild. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
It's therefore crucial that users move quickly to the latest updates as soon as possible to stay protected, as it's a matter of not if, but when.
Update
The vulnerability has since come under active exploitation in the wild, with Defused Cyber noting that "attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie." According to watchTowr, exploitation attempts have originated from known threat actor source IPs as of March 27, 2026.
In an analysis published last week, watchTowr said the vulnerability can be exploited to return sensitive data left over from a previous request in memory via NSC_TASS when sending a request to the "/saml/login" endpoint. When the same request is sent to a patched instance, the response is: "Parsing of presented Assertion failed; Please contact your administrator."
Further investigation has revealed that CVE-2026-3055 refers to not one singular memory overread vulnerability, but distinct ones that affect the following endpoints -
/saml/login
/wsfed/passive?wctx
For exploitation to occur, a "wctx" query string parameter needs to be present in the HTTP request, but without any value and lacking the "=" symbol.
"An unpatched/vulnerable Citrix NetScaler will mistakenly check only for its presence before accessing the buffer associated with the variable, rather than checking for the presence of associated data," watchTowr researcher Aliz Hammond said. "Since there is no actual value in the request, it just points to dead memory."
"If the target Citrix NetScaler is vulnerable, it'll leak memory all over the place and look like a crime scene. This memory arrives, yet again, Base64-encoded in the very same NSC_TASS cookie we discussed before, but without any of the limitations of the 'other' vulnerability patched within CVE-2026-3055."
Security Flaw Added to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 2, 2026.
(The story was updated after publication on March 30, 2026, to include additional details of the flaw.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Citrix, cybersecurity, NetScaler, network security, SAML, Threat Intelligence, Vulnerability
⚡ Top Stories This Week
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
Load More ▼
⭐ Featured Resources
Identify Internal Attack Surfaces More Efficiently With a Free Assessment
[eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
[Webinar] Learn How to Handle Critical SOC Alerts With AI Support
[Guide] Stop Email Fraud Before It Turns Into Ransomware Damage