What happened?
NCSC has issued an alert about recently disclosed vulnerabilities that affect Citrix NetScaler ADC and Citrix NetScaler Gateway, including CVE‑2026‑3055, that have been actively exploited in the wild within days of becoming public.
CVE‑2026‑3055 carries a CVSS score of 9.3 and is of particular concern; the exploit, which affects NetScaler appliances acting as SAML IDPs and running versions before 14.1‑60.58, 13.1‑62.23, or FIPS/NDcPP 13.1‑37.262, allows an attacker to trigger this memory over‑read vulnerability by sending specially crafted requests that include certain parameters but provide no values; instead of rejecting the request, the appliance returns fragments of memory. Testing shows that repeated requests return different pieces of data, some of which include highly sensitive pieces of information, including authenticated administrative session IDs, which could provide attackers instant access without credentials.
CISA has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalogue and approximately 30,000 known affected NetScaler systems remain exposed to the internet at the time of writing.
So what?
These vulnerabilities follow the same pattern as previous Citrix memory‑exposure issues, such as CitrixBleed, and demonstrate similar risks; NetScaler appliances are often crucial parts of authentication and remote access processes, and their internet-facing nature makes weaknesses in these components even more dangerous.
This highlights several significant consequences, the most important of which is the substantial risk of sensitive data leakage; memory exposure can reveal administrative session tokens, credentials and other authentication artefacts, which can increase the likelihood of wider compromise, with leaked data potentially enabling attackers to escalate access or move laterally within compromised networks.
This exploitation relies on SAML IDP configuration, meaning attackers may be able to interfere with identity flows or impersonate users, putting the underlying identity infrastructure at risk.
Concerningly, reports suggest that the exploitation of this vulnerability is also notably simple, requiring only minimal input and no credentials, specialist tools or complex payloads. This ease of use, combined with rapid attacker activity, meant that reconnaissance and exploitation began within days of disclosure, significantly shortening the response window for defenders.
What should I do?
The most urgent priority to mitigate this threat is to apply Citrix patches immediately by updating to a fixed version. These updates should be applied without delay; treat SAML IDP deployments as the highest priority, as exploitation requires this configuration.
Investigate for signs of exploitation by reviewing:
- any requests to /saml/login or /wsfed/passive with missing parameters,
- probing of /cgi/GetAuthMethods, and
- unexpected NSC_TASS cookies in logs.
Ensure to refresh identity and administrative credentials by invalidating active sessions, rotating administrative passwords and verifying SAML settings and trust relationships to ensure integrity.
Consider limiting the attack surface where possible by restricting external access to identity endpoints, strengthening monitoring for malformed or empty‑parameter requests and considering filtering such requests at reverse proxies or firewalls.
Continue to monitor for further updates from Citrix.