Citrix has released emergency security patches for two vulnerabilities in NetScaler ADC and NetScaler Gateway — including a critical cybersecurity flaw that allows unauthenticated attackers to read sensitive data directly from the appliance's memory. CVE-2026-3055 carries a CVSS 4.0 score of 9.3 and affects systems configured as SAML Identity Providers. CVE-2026-4368, scored at 7.7, is a race condition enabling session hijacking on Gateway and AAA-configured appliances. The patches were released on March 23, 2026. While no active exploitation has been confirmed yet, the cyber security research community is treating this as a pre-exploitation window — not a question of whether attacks will come, but how quickly. watchTowr CEO Benjamin Harris described imminent exploitation as highly likely and drew direct comparisons to Citrix Bleed, one of the most damaging enterprise network security incidents of recent years.
Affected products
- ·NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59
- ·NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
- ·NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262
How to Fix
Step-by-step remediation
The first step is determining whether your appliance is actually affected. For CVE-2026-3055, log into your NetScaler management interface and inspect your configuration file for the string add authentication samlIdPProfile .* — if this string is present your appliance is configured as a SAML IDP and is affected. For CVE-2026-4368, look for add authentication vserver .* or add vpn vserver .* — presence of either means your Gateway or AAA configuration is affected. Once you have confirmed exposure, patch immediately by upgrading to the fixed version for your branch. The patches are available through Citrix's support portal. For organisations on unsupported legacy versions, upgrade to a supported release before applying the patch — Citrix does not provide patches for end-of-life versions. Citrix-managed cloud deployments have already been updated automatically and require no action. After patching, conduct a retrospective review of your NetScaler access logs for the past 30 days, looking for anomalous unauthenticated HTTP requests to SAML IDP endpoints — the history of NetScaler vulnerabilities being exploited before public disclosure means the window of potential pre-patch exploitation cannot be ruled out.
What happened
CVE-2026-3055 is an out-of-bounds read vulnerability caused by insufficient input validation in NetScaler's SAML Identity Provider implementation. When an unauthenticated attacker sends a crafted request to a NetScaler appliance configured as a SAML IDP, the appliance reads beyond the boundaries of allocated memory — exposing raw memory contents that may include session tokens, credentials, cryptographic keys, or other sensitive data stored in the appliance's working memory. This is the same class of vulnerability that made Citrix Bleed — CVE-2023-4966 — one of the most exploited information security vulnerabilities of 2023. Citrix Bleed enabled attackers to steal session tokens and bypass authentication entirely on thousands of enterprise NetScaler deployments globally. CVE-2026-3055 requires the SAML IDP configuration to be active, which is not the default state — but SAML IDP is extremely common in enterprise environments because it powers single sign-on for Microsoft, Google, Okta, and virtually every major identity provider integration. The second vulnerability, CVE-2026-4368, is a race condition in appliances configured as SSL VPN gateways, ICA Proxies, CVPN, RDP Proxies, or AAA virtual servers. A low-privilege attacker who exploits the timing window can cause session mixup — accessing another user's active session and inheriting their identity and access rights within that session. In enterprise VPN environments where NetScaler Gateway is the entry point to the corporate network, this represents a significant data security and network security risk.
Real-World Impact
NetScaler is not a peripheral enterprise product — it sits at the perimeter of the network as the primary application delivery controller and VPN gateway for thousands of large organisations globally. A successful exploit of CVE-2026-3055 against a SAML IDP-configured NetScaler gives an attacker raw memory contents from the device that processes every SSO authentication across the enterprise. The digital security implications are significant — leaked memory can contain active session tokens allowing authentication bypass, cryptographic material enabling decryption of protected communications, and credential fragments from recently processed authentication requests. The internet security research firm watchTowr explicitly compared CVE-2026-3055 to Citrix Bleed and Citrix Bleed 2 — both of which were weaponised rapidly after disclosure and used by ransomware groups and nation-state actors to gain initial access to enterprise networks at scale. Citrix software has a documented exploitation history with four previous vulnerabilities — CVE-2023-4966, CVE-2025-5777, CVE-2025-6543, and CVE-2025-7775 — all having been exploited in the wild after disclosure. The combination of a critical CVSS score, a well-understood vulnerability class, a history of rapid exploitation, and the widespread deployment of NetScaler as enterprise network perimeter infrastructure makes this patch an emergency priority for every affected organisation.
Technical Details
🛡️ Prevention Tips
rom a computer security and infosec perspective, the NetScaler vulnerability pattern reveals a recurring structural problem — enterprise network perimeter devices that process authentication for thousands of users represent extremely high-value targets that require aggressive patch cadence. CVE-2026-3055 was identified internally by Citrix through their security review programme, which means it was not discovered by attackers first — this time. Previous NetScaler flaws were exploited in the wild before patches were available. The practical lesson for every enterprise running NetScaler is that Citrix patches must be treated as emergency updates applied within 24-48 hours of release, not scheduled into the next monthly maintenance window. Restricting management interface access to internal networks only, implementing network segmentation around NetScaler appliances, and monitoring for anomalous SAML IDP requests are baseline data security controls that should be in place regardless of patch status.
FAQs
How do I check if my NetScaler is affected by CVE-2026-3055?
Log into your NetScaler management interface and search your running configuration for the string add authentication samlIdPProfile .* — if this string appears your appliance is configured as a SAML IDP and is vulnerable. If it is absent your default configuration is not affected by this specific CVE.
Is this another Citrix Bleed?
CVE-2026-3055 is in the same vulnerability class as Citrix Bleed — an unauthenticated out-of-bounds memory read that can expose sensitive data including session tokens. The key difference is that Citrix Bleed required no special configuration to be exploitable, while CVE-2026-3055 requires SAML IDP configuration. However in enterprise environments SAML IDP is extremely common. The exploitation risk is treated as comparable by the research community.
Read Next
wordpress · cms
Critical WordPress Authentication Bypass Lets Attackers Take Over Any Site — Patch Now
north korea · dprk
$285 Million Drift Hack: North Korea's UNC4736 Spent Six Months Building Trust Before Draining Everything in 10 Seconds
npm · strapi
36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis and PostgreSQL to Deploy Persistent Implants and Reverse Shells
axios · npm
North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor
masjesu · xorbot
Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps
Last updated: March 25, 2026