[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-3055 — Citrix NetScaler ADC & Gateway Memory Overread

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Mon Mar 30 13:02:51 PDT 2026 

Good afternoon,
The SOC Services team is reporting on the vulnerability: CVE-2026-3055 affecting Citrix NetScaler ADC and NetScaler Gateway. Because in-the-wild exploitation has been confirmed by security researchers and the flaw allows for unauthenticated data exfiltration, we are providing this in-depth information.
History: Citrix disclosed this vulnerability on March 23, 2026. The CVSS v3.x base score has not be assessed as of 03/30/2026, however the CVSSv4 base score has been provided and received a  base score of 9.3 (Critical) which was provided by Citrix.
Affected Versions

  *   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-60.58 or 14.1-66.59
  *   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
  *   NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262
Fixed Versions

  *   NetScaler ADC and NetScaler Gateway 14.1-60.58 (and later 60.x builds)
  *   NetScaler ADC and NetScaler Gateway 14.1-66.59 (and later 66.x builds)
  *   NetScaler ADC and NetScaler Gateway 13.1-62.23
  *   NetScaler ADC 13.1-FIPS and 13.1-37.262
An unauthenticated remote attacker can trigger a memory overread on affected appliances, leading to the disclosure of sensitive information from the device's memory. This occurs due to insufficient input validation when the appliance is specifically configured as a SAML Identity Provider (IdP)
Vendor Advisory: CTX696300 - Citrix NetScaler ADC and NetScaler Gateway Security Bulletin<https://support.citrix.com/article/CTX696300>
Intelligence: On March 30, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.
    Exploitability Level: Network Exploitability
    Complexity: Low
    User Interaction: None
    Remotely Exploitable: Yes
    Proof of Concept: Available (Functional PoCs circulating in the research community)
    Zero Day: No (Disclosed by vendor prior to observed exploitation)
Workarounds: There are no official workarounds that fully mitigate the vulnerability without patching; Global Deny List signatures are available for NetScaler Console users on specific firmware builds (14.1-60.52 and 14.1-60.57)
How it Works: The flaw is triggered by sending a crafted SAMLRequest payload to the /saml/login endpoint that omits the AssertionConsumerServiceURL field. This causes the appliance to improperly validate the request and return sensitive memory contents, including authenticated session IDs, via the NSC_TASS cookie
Post-Exploit Impact:

  *   Information Disclosure: Unauthenticated extraction of administrative session IDs and other sensitive RAM data (CWE:125)
  *   Session Hijacking: Attackers can use leaked session tokens to bypass multi-factor authentication (MFA) and gain full control of the appliance (CWE:484)
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Log Pattern
/saml/login
Requests with missing AssertionConsumerServiceURL fields
Tenable Plugins:
Plugin ID
Plugin Title
Severity
303800<https://www.tenable.com/plugins/nessus/303800>
NetScaler ADC and NetScaler Gateway Memory Overread (CTX696300 / CVE-2026-3055)
Critical
Recommended Actions:
Date Added to KEV Catalog: 03/30/2026
Due Date for Remediation: 04/02/2026

  *   Identify Exposure: Check if the NetScaler configuration contains the string 'add authentication samlIdPProfile' to determine if the appliance is in a vulnerable SAML IdP state
  *   Immediate Patching: Prioritize updating internet-facing NetScaler appliances to the fixed versions listed above
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCC045.3EE454E0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260330/fc01c009/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260330/fc01c009/attachment-0001.png>

More information about the CDP-development mailing list