top of page
perceptive_background_267k.jpg

Critical Citrix NetScaler memory flaw actively exploited in attacks

Published:

30 maart 2026 om 18:28:37

Alert date:

30 maart 2026 om 19:01:30

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

A critical severity memory vulnerability (CVE-2026-3055) in Citrix NetScaler ADC and NetScaler Gateway appliances is being actively exploited by hackers to obtain sensitive data. The flaw represents a significant security risk for organizations using these network infrastructure components, requiring immediate attention and patching.

Technical details

CVE-2026-3055 is a critical severity memory overread vulnerability that actually covers at least two distinct bugs. The first affects the '/saml/login' endpoint handling SAML authentication, while the second affects the '/wsfed/passive' endpoint used for WS-Federation passive authentication. The vulnerability can be exploited to leak sensitive information including authenticated administrative session IDs, potentially enabling full takeover of NetScaler appliances. The flaw only affects appliances configured as a SAML identity provider (IDP) and resembles the previously exploited CitrixBleed vulnerabilities.

Mitigation steps:

Apply patches immediately for NetScaler ADC and Gateway appliances
Update to versions 14.1-60.58 or later, 13.1-62.23 or later, or 13.1-37.262 or later
Use watchTowr's Python script to identify vulnerable hosts in environments
Monitor for exploitation attempts on SAML and WS-Federation endpoints
Check if appliances are configured as SAML identity providers as only those are affected

Affected products:

Citrix NetScaler ADC versions before 14.1-60.58
Citrix NetScaler ADC versions older than 13.1-62.23
Citrix NetScaler ADC versions older than 13.1-37.262
Citrix NetScaler Gateway versions before 14.1-60.58
Citrix NetScaler Gateway versions older than 13.1-62.23
Citrix NetScaler Gateway versions older than 13.1-37.262

Related links:

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-netscaler-flaws-as-soon-as-possible/
https://www.linkedin.com/feed/update/urn:li:activity:7443396413679529984/
https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=citrix&type=application-delivery-controller&model=netscaler&dataset=count&limit=100&group_by=geo&stacking=stacked
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=citrix&type=vpn&model=gateway&dataset=count&limit=100&group_by=geo&stacking=stacked

Related CVE's:

Related threat actors:

IOC's:

Reconnaissance activity targeting vulnerable instances observed by watchTowr, Exploitation attempts targeting '/saml/login' endpoint, Exploitation attempts targeting '/wsfed/passive' endpoint, Memory content leakage containing session IDs

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page