Citrix NetScaler SAML IDP Vulnerability (CVE-2026-3055): Large-Scale Exploitation Confirmed by Fortinet

nick

Citrix NetScaler SAML IDP Vulnerability (CVE-2026-3055): Large-Scale Exploitation Confirmed by Fortinet

by

A critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, allows unauthenticated remote code execution when the appliance is configured as a SAML Identity Provider. The vulnerability carries a CVSS score of 9.8 and large-scale active exploitation has been confirmed by Fortinet’s threat intelligence team. Organisations running NetScaler appliances with SAML IDP functionality enabled are at immediate risk.

What Is the Vulnerability?

CVE-2026-3055 is an out-of-bounds read vulnerability caused by insufficient input validation in NetScaler ADC and NetScaler Gateway when operating as a SAML Identity Provider (IDP). A remote attacker can send specially crafted SAML-related requests to the appliance, triggering a memory overread condition that can be exploited for arbitrary code execution.

Citrix NetScaler appliances serve as the primary remote access and application delivery gateway for thousands of organisations worldwide — they sit at the network perimeter handling VPN termination, load balancing, and SAML-based single sign-on authentication. The SAML IDP functionality is the component that issues SAML assertions to authenticate users to downstream applications. A compromise at this layer allows an attacker to forge SAML assertions, impersonate any user, intercept authentication traffic, and establish persistent access to internal applications.

The vulnerability is classified under CWE-125 (Out-of-Bounds Read):

  • CVSS v3.1 Score: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects all Citrix NetScaler ADC and NetScaler Gateway versions prior to the fixed releases:

  • NetScaler ADC (standard builds): all versions prior to 13.1-62.23
  • NetScaler ADC (standard builds, 14.x branch): all versions prior to 14.1-60.58
  • NetScaler ADC (FIPS builds): all versions prior to 13.1-37.262
  • NetScaler ADC (NDcPP builds): all versions prior to 13.1-37.262
  • NetScaler Gateway (standard): all versions prior to 13.1-62.23
  • NetScaler Gateway (14.x branch): all versions prior to 14.1-60.58

The vulnerability is exploitable only when NetScaler is configured as a SAML Identity Provider. However, even if you believe SAML IDP is not configured, verify this explicitly — the feature may be enabled inadvertently or as part of a broader configuration template.

Is It Being Exploited in the Wild?

Yes — confirmed large-scale active exploitation. Fortinet’s threat intelligence team has reported large-scale exploitation of CVE-2026-3055 against internet-facing NetScaler appliances configured as SAML IDPs. This follows the well-established pattern of NetScaler vulnerabilities being among the most aggressively exploited in the wild. Historical precedent is unambiguous: CVE-2023-4966 (CitrixBleed) and CVE-2023-3519 were both weaponised within days of disclosure and used in widespread ransomware and data theft campaigns against thousands of organisations globally. NetScaler appliances are routinely targeted by both financially motivated ransomware groups and state-sponsored espionage actors due to their privileged position at the network perimeter. Organisations should assume that exploitation attempts are ongoing and that unpatched internet-facing appliances are being actively scanned and compromised.

What Is the Fix?

Citrix has released patched versions addressing CVE-2026-3055. The official Citrix security bulletin is available at:

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Update to the following minimum versions:

  • NetScaler ADC 13.1 branch: Upgrade to 13.1-62.23 or later (standard) or 13.1-37.262 or later (FIPS/NDcPP)
  • NetScaler ADC 14.1 branch: Upgrade to 14.1-60.58 or later
  • NetScaler Gateway 13.1 branch: Upgrade to 13.1-62.23 or later
  • NetScaler Gateway 14.1 branch: Upgrade to 14.1-60.58 or later

Recommendations

Patch immediately. Large-scale exploitation is confirmed and ongoing. NetScaler appliances are internet-facing by design — they are directly reachable by attackers worldwide. Every minute an unpatched appliance remains online is a minute it is being actively targeted. Normal change control windows should be overridden for this vulnerability.

Verify SAML IDP configuration. Even if you believe SAML IDP is not enabled on your NetScaler appliances, log in to the management interface and explicitly verify. Review the authentication configuration and SAML settings. If SAML IDP functionality is not required, disable it entirely to reduce the attack surface — even after patching, this is a good defence-in-depth measure.

Hunt for signs of compromise. After patching, review NetScaler access logs and authentication logs for: unusual SAML assertion activity, IDP-initiated logins that do not correspond to legitimate user sessions, connections from unrecognised IP addresses or hosting provider ranges, unexpected changes to SAML configuration or signing certificates, and newly created local accounts. Fortinet has published indicators of compromise for the ongoing campaign — incorporate these into your SIEM or log analysis workflow.

Audit your NetScaler inventory. Large organisations often have multiple NetScaler appliances — primary and secondary gateways, appliances in different data centres, and appliances managed by different teams. Ensure every appliance in your estate is accounted for and patched. Check for forgotten appliances in disaster recovery sites, development environments, or decommissioned-but-still-powered-on hardware.

Rotate SAML signing certificates after patching. If exploitation is suspected or if your appliance was unpatched for any period after the vulnerability became known, rotate the SAML signing certificate and any other cryptographic material used by the IDP. This ensures that even if an attacker exfiltrated the certificate, they cannot forge valid SAML assertions going forward.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!