CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of Citrix NetScaler ADC/Gateway memory disclosure vulnerability (CVE-2026-3055)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild to leak sensitive information from appliance memory. The flaw, disclosed by Citrix on March 23, 2026, affects systems configured as SAML Identity Providers with CVSS v4.0 score 9.3. Unauthenticated remote attackers exploit it by sending crafted SAMLRequest payloads to trigger memory overread conditions. Exploitation has been confirmed via honeypot activity since March 27, with evidence linking attacks to known malicious IPs. Impacted versions include NetScaler ADC/Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS/NDcPP before 13.1-37.262.

Timeline

  1. 30.03.2026 13:45 1 articles · 3h ago

    Exploitation of Citrix NetScaler ADC/Gateway memory disclosure (CVE-2026-3055) confirmed in the wild

    CVE-2026-3055, a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, is being actively exploited in the wild as of March 27, 2026. Unauthenticated remote attackers are exploiting the flaw by sending crafted SAMLRequest payloads to the /saml/login endpoint, triggering memory overread conditions that leak sensitive information via the NSC_TASS cookie. Exploitation has been observed in honeypot networks and attributed to known malicious IPs. The vulnerability affects only customer-managed appliances configured as SAML Identity Providers, with patches available for impacted versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-3055 is a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway with CVSS v4.0 score 9.3.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • The vulnerability requires NetScaler instances to be explicitly configured as SAML Identity Provider (SAML IDP) profiles to be exploitable.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • Exploitation enables unauthenticated remote attackers to leak potentially sensitive information from appliance memory via crafted SAMLRequest payloads.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • Affected versions include NetScaler ADC/Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS/NDcPP before 13.1-37.262.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • Cloud-managed Citrix instances are not affected; only customer-managed appliances are vulnerable.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • Active exploitation of CVE-2026-3055 was confirmed via honeypot activity on March 27, 2026, with payloads targeting /saml/login and omitting AssertionConsumerServiceURL fields.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources

  • Attackers leak memory contents via the NSC_TASS cookie during exploitation, with threat actor source IPs observed in honeypot telemetry.

    First reported: 30.03.2026 13:45
    1 source, 1 article
    Show sources