A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
“We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild,” Defused Cyber said in a post on X. “Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots.”
This is likely an attempt on the part of threat actors to determine if NetScaler ADC and NetScaler Gateway are indeed configured as a SAML IDP.
In a similar warning, watchTowr said it has detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that in-the-wild exploitation can happen anytime.
“Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately,” the company said. “When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate.”
The vulnerability affects NetScaler ADC and NetScaler Gateway versions before 14.1-60.58, 14.1 before 14.1-66.59, and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
In recent years, a number of security vulnerabilities affecting NetScaler have come under active exploitation in the wild. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
It’s therefore crucial that users move quickly to the latest updates as soon as possible to stay protected, as it’s a matter of not if, but when.
Update
The vulnerability has since come under active exploitation in the wild, with Defused Cyber noting that “attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie.” According to watchTowr, exploitation attempts have originated from known threat actor source IPs as of March 27, 2026.
In an analysis published last week, watchTowr said the vulnerability can be exploited to return sensitive data left over from a previous request in memory via NSC_TASS when sending a request to the “/saml/login” endpoint. When the same request is sent to a patched instance, the response is: “Parsing of presented Assertion failed; Please contact your administrator.”
Further investigation has revealed that CVE-2026-3055 refers to not one singular memory overread vulnerability, but distinct ones that affect the following endpoints –
- /saml/login
- /wsfed/passive?wctx
For exploitation to occur, a “wctx” query string parameter needs to be present in the HTTP request, but without any value and lacking the “=” symbol.
“An unpatched/vulnerable Citrix NetScaler will mistakenly check only for its presence before accessing the buffer associated with the variable, rather than checking for the presence of associated data,” watchTowr researcher Aliz Hammond said. “Since there is no actual value in the request, it just points to dead memory.”
“If the target Citrix NetScaler is vulnerable, it’ll leak memory all over the place and look like a crime scene. This memory arrives, yet again, Base64-encoded in the very same NSC_TASS cookie we discussed before, but without any of the limitations of the ‘other’ vulnerability patched within CVE-2026-3055.”
(The story was updated after publication on March 30, 2026, to include additional details of the flaw.)
About The Author
Original post here
