Full Report
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr. The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information. Per
Analysis Summary
# Vulnerability: Citrix NetScaler Memory Overread (SAML IDP)
## CVE Details
- **CVE ID:** CVE-2026-3055
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-125 (Out-of-bounds Read) / Insufficient Input Validation
## Affected Systems
- **Products:** Citrix NetScaler ADC and NetScaler Gateway
- **Versions:**
- 14.1 prior to 14.1-66.59
- 13.1 prior to 13.1-62.23
- 13.1-FIPS prior to 13.1-37.262
- 13.1-NDcPP prior to 13.1-37.262
- **Configurations:** Success depends on the appliance being configured as a **SAML Identity Provider (SAML IDP)**.
## Vulnerability Description
CVE-2026-3055 is a memory overread vulnerability caused by insufficient input validation. An attacker can exploit this flaw to read data beyond the intended buffer, potentially leaking sensitive system information residing in the appliance's memory. This is architecturally similar to previous "Citrix Bleed" style vulnerabilities where memory leakage can lead to session hijacking or credential theft.
## Exploitation
- **Status:** Under active reconnaissance/probing. Security researchers (Defused Cyber, watchTowr) have observed threat actors fingerprinting devices to identify vulnerable configurations.
- **Complexity:** Low (Targeted via automated scanning of specific endpoints).
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Potential leakage of sensitive session tokens, keys, or configuration data).
- **Integrity:** None (Directly).
- **Availability:** Low (While primarily an information leak, certain memory reads can cause process instability).
## Remediation
### Patches
Citrix has released the following updated versions to address the flaw:
- NetScaler ADC / Gateway 14.1-66.59 or later
- NetScaler ADC / Gateway 13.1-62.23 or later
- NetScaler ADC 13.1-FIPS / 13.1-NDcPP 13.1-37.262 or later
### Workarounds
The primary mitigation is to update to the patched versions. If patching is delayed, organizations should determine if they can temporarily disable SAML IDP configurations if they are not mission-critical, though this may disrupt user authentication.
## Detection
- **Indicators of Compromise:** Monitor web server logs for requests to the `/cgi/GetAuthMethods` endpoint. This is currently being used by attackers to enumerate enabled authentication flows and identify SAML IDP configurations.
- **Detection methods and tools:** Leverage honeypots or WAF signatures to flag high-frequency scanning of Citrix-specific authentication endpoints.
## References
- **Citrix Advisory:** hxxps[://]thehackernews[.]com/2026/03/citrix-urges-patching-critical.html
- **Researcher Observations:** hxxps[://]x[.]com/DefusedCyber/status/2037472546732310668
- **Threat Intelligence:** hxxps[://]thehackernews[.]com/2026/03/citrix-netscaler-under-active-recon-for.html