Critical Vulnerability in Citrix NetScaler ADC and Gateway Security (CVE-2026-3055)
Executive Summary
On March 23rd, Citrix published an advisory detailing a critical severity vulnerability in their NetScaler ADC and Gateway products. The vulnerability, tracked as CVE-2026-3055, and with a CVSS score of 9.3 allows an unauthenticated attacker to cause a memory overread in the device.
Beazley Security Labs has no additional details other than what is provided by the vendor in the advisory, however the flaw is conceptually similar to critical information disclosure vulnerabilities in the past referred to as “CitrixBleed”. Such vulnerabilities have the potential to leak credential material and other sensitive data that can be used to compromise these internet facing devices, providing attackers initial access to an organization’s network.
The vulnerability was discovered by internal Citrix teams, and patches were provided with the advisory. At time of writing, there are no publicly available proof-of-concept (PoC) exploits available or reports of threat actor abuse in the wild.
Given the ease of exploitation and high impact of previous similar vulnerabilities, Beazley Security expects threat actors to study the patches and deploy weaponized exploits in the coming days. We strongly recommend affected organizations patch their devices as soon as possible. If organizations are unable to apply the patch, they should disable the SAML IdP functionality as described in the "Mitigations and Workarounds" section of this document.
Affected Systems and Products
The advisory only affects customer-managed NetScaler ADC and Gateway products. Citrix-managed appliances had software updates applied prior to disclosure.
Additionally, a device needed to be configured as a SAML Identity Provider (IdP) to be vulnerable. Citrix provided the following configuration string to help identify impacted device configurations:
add authentication samlIdPProfile.*Mitigations and Workarounds
Citrix provided no specific mitigation or workaround steps in their advisory outside of applying product upgrade patches. However, given the pre-condition of having SAML IdP configured in order for a device to be vulnerable, Beazley Security recommends turning this feature off as a precaution if you are unable to apply patches immediately.
Additional information regarding this component can be found in the NetScaler SAML IdP product documentation.
Patches
Patches were made available at the time of disclosure, more details can be found in the official Citrix advisory here.
Technical Details
The bug was discovered by internal Citrix teams, and no in-depth technical details were provided within their advisory at the time of this writing. However, a pre-authentication, network reachable vulnerability that results in a “memory overread” is a highly similar condition to previous high-impact information disclosure vulnerabilities in Citrix products infamously dubbed CitrixBleed and CitrixBleed 2.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: