CVE-2026-3055: Citrix NetScaler Is Being Scoped Right Now — Patch Before It Gets Worse

CybrPulse

CybrPulse

3 min read
CVE-2026-3055: Citrix NetScaler Is Being Scoped Right Now — Patch Before It Gets Worse

If you're running Citrix NetScaler ADC or Gateway as a SAML Identity Provider, someone is already knocking on your door. They just haven't kicked it in yet.

That's the situation as of this morning. Threat intelligence firms watchTowr and Defused Cyber are both reporting active reconnaissance against internet-facing NetScaler instances targeting CVE-2026-3055 — a memory overread bug that scored a CVSS 9.3 and requires zero authentication to probe.

The exploit window isn't open yet. But based on how this reconnaissance is being conducted, it's close.

What the Vulnerability Is

CVE-2026-3055 is a case of insufficient input validation in the NetScaler SAML IdP processing path. Feed it a malformed request, and the appliance reads memory it shouldn't — potentially leaking sensitive data from the process.

The catch: your appliance has to be configured as a SAML Identity Provider for this to work. That sounds like a narrow condition, but it's not. SAML IdP is exactly the configuration enterprises use to federate NetScaler with cloud SSO stacks — Azure AD, Okta, Google Workspace. If your organization uses NetScaler to broker authentication to cloud services, there's a decent chance you're running this config.

Citrix hasn't published an exact count of exposed instances, but SAML IdP on NetScaler is common enough that the attack surface here is substantial.

What Attackers Are Already Doing

Defused Cyber flagged it first on X: "We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild. Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots."

watchTowr confirmed the same thing through its Attacker Eye honeypot network. Threat actors are sending HTTP POST requests to `/cgi/GetAuthMethods` on exposed NetScaler instances. The goal isn't exploitation — not yet. They're building a list.

The logic is straightforward: if a NetScaler responds to that endpoint with SAML in its authentication menu, it's a viable target for CVE-2026-3055. If it doesn't, move on. This kind of programmatic filtering means attackers are efficiently culling a target list of vulnerable configurations before they launch the actual attack wave. When they flip the switch, they'll know exactly which instances to hit.

watchTowr put it plainly: "Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately. When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate."

That's not hyperbole. It's an accurate description of how these campaigns work.

The CitrixBleed Shadow

The security community keeps reaching for the same comparison, and it's warranted. CVE-2023-4966, known as CitrixBleed, was another unauthenticated memory leak in NetScaler. Before vendors finished patching, nation-state groups and ransomware affiliates had already extracted session tokens at scale. Healthcare systems, financial institutions, critical infrastructure — all hit before the patching cycle caught up.

This isn't CitrixBleed. But the attack profile rhymes. Unauthenticated. Memory leak. CVSS in the 9s. Active reconnaissance visible in honeypots. The industry has seen this movie before, and the middle act involves widespread exploitation of organizations that thought they had more time.

For what it's worth, this is Citrix's fourth serious NetScaler vulnerability since 2023. CVE-2023-4966, CVE-2025-5777, CVE-2025-6543, and CVE-2025-7775 all came before this one. If your patch cadence for NetScaler isn't well-established by now, that's a gap worth closing on its own.

Affected Versions and What to Do

Citrix has released patches. The affected version ranges are:

  • NetScaler ADC and NetScaler Gateway 14.1: versions before 14.1-66.59
  • NetScaler ADC and NetScaler Gateway 13.1: versions before 13.1-62.23
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP: versions before 13.1-37.262

Check your appliance version. If you're in one of those ranges, updating should be happening right now, not scheduled for next week's maintenance window.

After patching, pull your logs. Look for POST requests to `/cgi/GetAuthMethods` from external IPs. If you're seeing those, someone has already scoped your instance. That doesn't mean exploitation occurred — the current campaign is still in the reconnaissance phase — but it tells you that your appliance showed up on someone's list.

The Practical Ask

This is the kind of vulnerability that gets treated like a scheduled patch until it becomes an incident. Don't do that.

If NetScaler is part of your SSO path, it's sitting in front of everything. A memory leak from an authentication appliance can expose session data, tokens, or credentials that cascade through your entire identity stack. The blast radius is high.

Patch first. Hunt for the `/cgi/GetAuthMethods` probes second. Review your SAML IdP exposure third.

The reconnaissance phase is what you have left. Use it.

Read more