Back

Critical Memory Overread Vulnerability in Citrix NetScaler Exploited

Severity: High (Score: 78.0)

Sources: support.citrix.com, Filestore.Fortinet, www.fortiguard.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: netscaler, memory, cve-2026-3055, over, learn, citrix, overread

Severity indicators: CVE:CVE-2026-3055

Summary

Citrix NetScaler ADC and Gateway are affected by CVE-2026-3055, a critical vulnerability due to insufficient input validation during SAML authentication, leading to memory overread. Exploitation attempts have surged, with FortiGuard reporting over 2,000 blocked attacks daily, primarily targeting SAML services in sectors like Technology and Government. The vulnerability has a CVSS score of 9.3 and was added to CISA's Known Exploited Vulnerabilities catalog on March 30, 2026. Organizations using affected systems are at risk of credential exposure and unauthorized access. Citrix has urged customers to upgrade to patched versions immediately. The vulnerability was publicly disclosed on March 3, 2026, with a proof of concept released shortly before. The ongoing exploitation highlights the urgency for remediation. Key Points: • CVE-2026-3055 is a critical memory overread vulnerability in Citrix NetScaler. • Over 2,000 daily exploitation attempts have been detected, primarily targeting SAML services. • Affected organizations must upgrade to patched versions to mitigate risks of credential exposure.

Detailed Analysis

**Impact** Organizations using Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers or VPN/AAA servers are affected. Exploitation attempts exceed 2,000 daily, targeting sectors including Technology, Telecom, Automotive, MSSPs, and Government, with highest attack volumes in Germany, Hong Kong, France, the United States, and Poland. Successful exploitation risks credential exposure, account compromise, and unauthorized internal access. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation. **Technical Details** The primary attack vector is crafted requests exploiting insufficient input validation during SAML authentication processing, causing memory overread (CVE-2026-3055, CVSS 9.3). Another vulnerability (CVE-2026-4368, CVSS 7.7) involves a race condition causing user session mixups on VPN or AAA-configured appliances. Exploitation involves unauthenticated access to exposed SAML endpoints, with automated scanning and exploitation originating from VPS providers, botnets, and anonymized networks. Indicators include configuration strings such as “add authentication samlIdPProfile” and “add vpn vserver” or “add authentication vserver” in NetScaler configurations. **Recommended Response** Apply the latest NetScaler ADC and Gateway updates: versions 14.1-60.58, 14.1-66.59, 13.1-62.23, and 13.1.37.262 or later. Inspect configurations for SAML IDP profiles and VPN/AAA virtual servers to identify vulnerable appliances. Deploy IPS signatures to detect and block CVE-2026-3055 exploitation attempts and monitor for anomalous traffic targeting SAML endpoints. Prioritize patching exposed systems to prevent credential leakage and unauthorized access.

Source articles (5)

  • Citrix NetScaler Memory Overread Vulnerability — Filestore.Fortinet · 2026-05-28
    Telemetry collected over the past 30 days shows sustained exploitation activity, with FortiGuard IPS sensors frequently detecting over 2,000 blocked CVE-2026-3055 attack attempts per day and peaks exc…
  • Learn More » — support.citrix.com · 2026-05-29
    NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities mentioned below: CVE-ID Description Pre-conditions CWE CVSS v4.0 CVE-2026-3055 Insufficient input validation leading to memory o…
  • FortiADC DB 36.209 — www.fortiguard.com · 2026-05-29
  • FortiAnalyzer — www.fortiguard.com · 2026-05-29
  • FortiAnalyzer DB 2.00095 — www.fortiguard.com · 2026-05-29

Timeline

  • 2026-03-23 — CVE-2026-3055 published: Citrix disclosed a critical vulnerability affecting NetScaler ADC and Gateway due to insufficient input validation.
  • 2026-03-23 — CVE-2026-4368 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-03-29 — First public PoC released: A proof of concept for CVE-2026-3055 was publicly disclosed, increasing the risk of exploitation.
  • 2026-03-30 — CVE-2026-3055 added to CISA KEV catalog: CISA confirmed active exploitation of CVE-2026-3055 and added it to the Known Exploited Vulnerabilities catalog.
  • 2026-05-25 — CVE-2026-3055 confirmed exploitation activity: Telemetry showed sustained exploitation attempts, with peaks over 2,700 daily events targeting vulnerable systems.
  • 2026-05-29 — Citrix urges customers to upgrade: Citrix strongly recommended that customers upgrade to patched versions of NetScaler ADC and Gateway to mitigate risks.

CVEs

  • CVE-2026-3055
  • CVE-2026-4368

Related entities

  • Zero-day Exploit (Attack Type)
  • Citrix (Company)
  • France (Country)
  • Germany (Country)
  • Poland (Country)
  • United States (Country)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-20 - Improper Input Validation (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • cloud.com (Domain)
  • Automotive (Industry)
  • Government (Industry)
  • Technology (Industry)
  • NetScaler (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed