Alright, mi gente, if the words “Citrix” and “memory leak” make your eye twitch, I don’t blame you. We’ve been here before. Twice.
Citrix dropped an advisory on March 23 for CVE-2026-3055, a critical memory overread flaw in NetScaler ADC and Gateway. CVSS 9.3. No authentication required. Four days later, attackers were already exploiting it. By March 30, CISA added it to the Known Exploited Vulnerabilities list.
Órale. That’s fast, even by today’s standards.
What’s Going On
The short version: if your NetScaler is set up as a SAML Identity Provider, which is super common for SSO and cloud federation, an attacker can send a crafted request and trick the appliance into dumping memory. Session tokens. Admin session IDs. Credentials. All of it, no login needed.
The flaw is bad enough on its own. But here’s the thing, researchers at watchTowr dug in and found that CVE-2026-3055 is actually two distinct memory overread bugs, not one. One hits /saml/login, the other targets /wsfed/passive. Citrix didn’t make that clear in their advisory. WatchTowr called the disclosure “disingenuous.” Fuerte, but fair.
If your NetScaler is in a default config or managed by Citrix in the cloud, you’re fine. Respira tranquilo. But if you’re running on-prem with SAML IDP enabled? You need to move.
Same Movie, Third Time
Mira, this is what gets me. CVE-2023-4966 was CitrixBleed. CVE-2025-5777 was CitrixBleed 2. Now we’ve got CVE-2026-3055 doing the same thing, leaking memory from the same product family, sitting at the same spot on the network edge, handling the same authentication traffic.
The watchTowr CEO said it himself: this sounds suspiciously like the previous CitrixBleed flaws that are still a trauma event for a lot of orgs. Three years in a row. Same class of bug. That’s not bad luck, that’s a pattern.
How Fast Attackers Moved
This part matters. By March 27, researchers at Defused spotted attackers probing NetScaler boxes, hitting /cgi/GetAuthMethods to fingerprint which ones were configured as SAML IDPs. They weren’t guessing, they were shopping for the exact setup needed to exploit the bug.
Two days later, full exploitation confirmed. Crafted SAMLRequest payloads to /saml/login, memory leaking through the NSC_TASS cookie. The attack payloads matched watchTowr’s proof-of-concept structure. A Metasploit module is already out there.
ShadowServer was tracking about 29,000 NetScaler instances exposed online. Not all are vulnerable, pero enough of them are configured as SAML IDPs to make this a real problema.
What You Need To Do
Patch. No excuses. Here are the fixed versions:
- NetScaler ADC and Gateway 14.1-66.59 and later
- NetScaler ADC and Gateway 13.1-62.23 and later
- NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.262 and later
If you’re on firmware 14.1-60.52 or 14.1-60.57, Citrix has a “Global Deny List” feature that works as a virtual patch without rebooting. Useful to buy time, but don’t treat it as the fix. Get to the patched builds.
Want to check if you’re exposed? SSH into your appliance and search for add authentication samlIdPProfile in the config. If it’s there, you’re a target until you upgrade.
Final Thoughts
Three memory leaks in three years from the same product line. At some point you have to ask yourself, is this appliance earning its spot on my network edge, or is it the liability?
The window between disclosure and exploitation was four days. Cuatro días. That means your patch process needs to be faster than an attacker’s recon cycle. If it’s not, you’re already behind.
Don’t wait for the change window. Make the change window.
Stay sharp, mi gente.
Javiertech 
Leave a comment