NetScaler - Memory Disclosure (CVE-2026-3055)

CVE-2026-3055 is a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. Due to insufficient input validation, unauthenticated attackers can trigger an out-of-bounds read that leaks sensitive memory contents, including administrative session cookies, potentially enabling full appliance compromise.

CrowdSec has been tracking this vulnerability and its exploits since 30th of March 2026.

CrowdSec network observations suggest that most exploitation of CVE-2026-3055 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2026-3055. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the SAML IDP endpoints by sending crafted POST requests to /saml/login with a malicious SAMLRequest payload, or GET requests to /wsfed/passive?wctx with an empty parameter value, triggering memory overread that leaks sensitive data such as session cookies in the NSC_TASS cookie.