CVE-2026-3055
Citrix ADC VPX Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-3055 is a critical out-of-bounds read (memory overread) vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP). Insufficient input validation allows unauthenticated remote attackers to trigger memory disclosure, potentially exposing sensitive data including session tokens. The vulnerability was first published on March 23, 2026, with patches released March 31, 2026. Affected versions include NetScaler ADC 13.1 (before 13.1-62.23 standard, before 13.1-37.262 FIPS/NDcPP) and 14.1 (before 14.1-60.58), and NetScaler Gateway 13.1 (before 13.1-62.23) and 14.1 (before 14.1-60.58). It carries a CVSS v3.1 score of 9.8 (Critical) and a CVSS v4.0 score of 9.3 (Critical) (Citrix Advisory, CISA KEV).

Détails techniques

The vulnerability is classified as CWE-125 (Out-of-bounds Read) and stems from insufficient input validation in the SAML IDP processing code of NetScaler ADC and Gateway. Notably, CVE-2026-3055 encompasses at least two distinct memory overread bugs affecting different endpoints: /saml/login and /wsfed/passive?wctx. For the WS-Federation endpoint, the flaw occurs when the wctx query parameter is present without an associated value (i.e., without the = symbol); the appliance checks only for the parameter's presence before accessing the associated buffer, rather than verifying that actual data exists. This causes the device to read from uninitialized or adjacent memory and return the contents base64-encoded in the NSC_TASS cookie. Exploitation requires no authentication and no user interaction, but the appliance must be configured as a SAML IDP. A concrete PoC HTTP request (GET /wsfed/passive?wctx HTTP/1.1) was published by watchTowr Labs demonstrating reliable memory disclosure (watchTowr Labs).

Impact

Successful exploitation allows an unauthenticated attacker to read kilobytes of process memory from the NetScaler appliance per request, with different memory regions disclosed on each request. Disclosed memory can include sensitive data such as authenticated administrative session IDs, HTTP request headers from other users, cryptographic material, and internal memory pointers — enabling session hijacking and potential full administrative compromise of the appliance. Because NetScaler devices typically sit at the network perimeter handling VPN, SSO, and application delivery, compromise can facilitate lateral movement into internal enterprise networks. The vulnerability has been compared to CitrixBleed (CVE-2023-4966) in severity and exploitation pattern (watchTowr Labs, CISA KEV).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing Citrix NetScaler ADC or Gateway instances configured as SAML IDPs using tools like Shodan, Censys, or FOFA. Check for SAML IDP configuration with show running-config | grep -i samlIdPProfile on accessible devices.
  2. Verify SAML IDP configuration: Confirm the target is configured as a SAML IDP by probing the /saml/login or /wsfed/passive endpoints for valid responses.
  3. Send exploit request to WS-Federation endpoint: Issue a crafted HTTP GET request with the wctx parameter present but without a value or = sign:
    GET /wsfed/passive?wctx HTTP/1.1
    Host: <target>
  4. Extract leaked memory: Parse the HTTP 302 response and extract the NSC_TASS cookie value, which contains base64-encoded process memory from the NetScaler appliance.
  5. Decode and analyze memory: Base64-decode the NSC_TASS cookie contents to obtain raw memory, which may include HTTP request headers from concurrent sessions, session tokens, cryptographic material, and internal pointers.
  6. Repeat for additional memory regions: Submit the request multiple times to obtain different memory regions, increasing the probability of capturing active session IDs or credentials.
  7. Session hijacking: If an administrative session ID is captured from the leaked memory, inject it into a browser or tool to authenticate as an administrator without credentials, achieving full appliance compromise (watchTowr Labs).

Indicateurs de compromis

  • Network: Unusual HTTP GET requests to /wsfed/passive?wctx (without a value after wctx) or /saml/login from external IPs; high-volume repeated requests to SAML IDP endpoints from a single source IP; outbound connections from the NetScaler to unexpected external hosts.
  • Logs: NetScaler access logs showing repeated requests to /wsfed/passive or /saml/login with malformed or missing parameter values; HTTP 302 responses to these endpoints from unauthenticated sources; anomalous session activity from IPs not associated with known users.
  • Cookies/Response Artifacts: Presence of large, base64-encoded NSC_TASS cookie values in HTTP responses to unauthenticated requests — particularly those containing decoded HTTP headers, memory addresses, or session tokens from other users.
  • Configuration: Devices configured with samlIdPProfile (detectable via show running-config | grep -i samlIdPProfile) on unpatched firmware versions are confirmed vulnerable.
  • Behavioral: Administrative logins from unexpected IP addresses or at unusual times following exploitation attempts; evidence of session reuse from IPs that did not perform the original authentication flow (watchTowr Labs, CISA KEV).

Atténuation et solutions de contournement

Citrix has released patched versions addressing CVE-2026-3055: NetScaler ADC 13.1-62.23 or later (standard), 13.1-37.262 or later (FIPS/NDcPP), and 14.1-60.58 or later; NetScaler Gateway 13.1-62.23 or later and 14.1-60.58 or later. Immediate upgrade to a patched version is the recommended remediation (Citrix Advisory). As a temporary workaround where patching is not immediately possible, restrict network access to SAML IDP endpoints (/saml/login and /wsfed/passive) from untrusted networks using firewall rules or WAF policies. CISA mandated that U.S. federal agencies apply mitigations by April 2, 2026 (CISA KEV). Organizations should also audit NetScaler configurations to determine if SAML IDP mode is necessary and disable it if not required.

Réactions de la communauté

Citrix issued an official security bulletin (CTX696300) urging immediate patching and confirmed the vulnerability was identified internally. watchTowr Labs published two detailed technical blog posts (Parts 1 and 2) revealing that CVE-2026-3055 actually covers at least two distinct memory overread bugs, and released a detection artifact generator for defenders — drawing significant community attention and comparisons to CitrixBleed (CVE-2023-4966). Security researchers and media widely described the flaw as "CitrixBleed 3" or a sequel to prior high-profile NetScaler vulnerabilities. BleepingComputer, SecurityWeek, The Hacker News, The Register, and Infosecurity Magazine all covered active exploitation. CISA's rapid KEV listing (within days of disclosure) and the April 2 federal deadline generated substantial discussion on Reddit, Mastodon, and Bluesky. Rapid7 published an ETR blog post and added a Metasploit scanner module. Multiple national CERTs (UK NCSC, Canadian CCCS, EU CERT, Irish NCSC, New Zealand NCSC, Hong Kong GovCERT) issued advisories urging urgent patching (watchTowr Labs, CISA KEV).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Citrix ADC VPX Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-3055CRITICAL9.3
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
OuiOuiMar 23, 2026
CVE-2026-8655HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-8452HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-8451HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-4368HIGH7.7
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiMar 23, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités