Introduction

On March 23, 2026, Citrix released a critical security advisory addressing a severe vulnerability in NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055. With a CVSS score of 9.3, this out-of-bounds (OOB) read flaw permits unauthenticated, remote attackers to leak sensitive information from the device's memory.

For defenders, the urgency is compounded by the specific configuration required for exploitation: the appliance must be configured as a SAML Identity Provider (IdP). This is not an edge case; SAML IdP is a standard configuration for organizations enabling Single Sign-On (SSO) for internal and external applications. A successful memory leak could expose session tokens, private keys, or other sensitive credentials, effectively paving the way for full system compromise or lateral movement. This post provides the technical depth required to identify vulnerable instances, detect exploitation attempts, and remediate the threat immediately.

Technical Analysis

Affected Products and Versions

• Products: NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
• Vulnerability: CVE-2026-3055
• CVSS Score: 9.3 (Critical)
• Vulnerable Configuration: Appliances configured as a SAML Identity Provider (IdP). Default configurations are not vulnerable.

Vulnerability Mechanics

The flaw is an out-of-bounds read vulnerability residing in the handling of SAML requests when the device acts as the Identity Provider.

1. Attack Vector: Remote, unauthenticated network access.
2. Attack Chain: The attacker sends a specially crafted SAML request to the NetScaler appliance.
3. Component Failure: The SAML processing component fails to properly validate the input boundaries, reading memory addresses adjacent to the intended buffer.
4. Impact: The appliance returns the out-of-bounds data to the attacker in the response. While this is an information leak (not arbitrary code execution initially), the data leakage can include cryptographic material or session tokens that allow the attacker to bypass authentication or decrypt traffic.

Exploitation Status

As of the advisory release, this is a disclosed vulnerability with a high severity rating. Given the history of Citrix ADC vulnerabilities (e.g., CVE-2019-19781), security practitioners should assume that active scanning or exploit development is occurring imminently, if not already. The barrier to entry for an OOB read exploit is lower than that of a remote code execution (RCE), making widespread scanning likely.

Detection & Response

Detecting CVE-2026-3055 requires a two-pronged approach: identifying vulnerable assets via configuration analysis and identifying active exploitation attempts via log analysis. Since NetScaler appliances forward logs to SIEMs via Syslog or CEF, we can hunt there.

SIGMA Rules

The following Sigma rules target NetScaler logs forwarded to a centralized log collector. Note that these rules assume logs are ingested via standard Syslog or Linux-based parsing.

---
title: Potential Citrix NetScaler SAML IDP Exploitation Attempt
id: 8a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Detects potential exploitation of CVE-2026-3055 via spikes in SAML authentication errors or malformed requests to the SAML endpoint on NetScaler devices.
references:
  - https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.cve-2026-3055
  - attack.t1190
logsource:
  product: linux
  service: syslog
detection:
  selection_source:
    program|contains: 'netscaler'
  selection_saml_endpoint:
    message|contains:
      - '/cgi/samlauth'
      - 'SAML_AUTH'
  selection_indicators:
    message|contains:
      - 'error'
      - 'failed'
      - 'denied'
      - 'HTTP/1.1" 4'
  condition: selection_source and selection_saml_endpoint and selection_indicators
falsepositives:
  - Legitimate misconfigurations in SAML integration
  - Users entering incorrect credentials repeatedly
level: high
---
title: Citrix NetScaler System Panic or Memory Exception
id: 9c3d4e5f-6a7b-8901-2345-678901bcdefg
status: experimental
description: Detects NetScaler system panics or memory exceptions which may indicate an attempted out-of-bounds read or crash related to CVE-2026-3055.
references:
  - Internal NetScaler Incident Response Guidance
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.cve-2026-3055
logsource:
  product: linux
  service: syslog
detection:
  selection_source:
    program|contains: 'netscaler'
  selection_crash:
    message|contains:
      - 'PANIC'
      - 'EXCEPTION'
      - 'Core dump'
      - 'memory access violation'
  condition: selection_source and selection_crash
falsepositives:
  - Hardware failure
  - Unrelated software bugs
level: critical

KQL (Microsoft Sentinel / Defender)

Use these queries to hunt for signs of the vulnerability in your Syslog or CommonSecurityLog ingestion.

// Hunt for SAML-related errors on NetScaler devices
Syslog
| where SyslogMessage contains "Citrix" or SyslogMessage contains "NetScaler"
| where SyslogMessage has "saml" or SyslogMessage has "SAML"
| where SyslogMessage has_any("error", "failed", "panic", "exception")
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| extend EventDetails = extract_all(@'\[(.*?)\]', typeof(string), SyslogMessage)
| order by TimeGenerated desc

// Hunt for spikes in traffic to SAML endpoints (CEF format)
CommonSecurityLog
| where DeviceVendor == "Citrix"
| where RequestURL contains "/saml" or RequestURL contains "/cgi/samlauth"
| where DeviceAction in ("Deny", "Error", "Failure")
| summarize count() by SourceIP, bin(TimeGenerated, 5m)
| where count_ > 10 // Threshold tuning required
| project TimeGenerated, SourceIP, count_

Velociraptor VQL

This VQL artifact is designed to run on a Linux jump box or a forensic workstation where you have mounted the NetScaler file system or have access to the configuration backup (ns.conf). It hunts for the presence of the vulnerable SAML IDP configuration.

-- Hunt for SAML Identity Provider configurations in NetScaler ns.conf
SELECT FullPath, Mtime, Size, Data
FROM glob(globs='/var/nsconfig/ns.conf')
-- If running on mounted filesystem or backup, adjust path accordingly
-- Use grep() to search for SAML IDP profile definitions
WHERE parse_string(data=Data, regex='(?m)add authentication samlIdPProfile .*')
PROJECT FullPath, Mtime, Size

Remediation Script

This Bash script helps verify the configuration and identify if the appliance is currently vulnerable by checking for the SAML IDP profile setting. Note: This requires shell access to the NetScaler ADC (via SSH or Console).

#!/bin/bash

CVE-2026-3055 Remediation Checker for Citrix NetScaler

Checks for SAML Identity Provider (IDP) configurations

echo "Checking NetScaler configuration for SAML IDP Profiles..."

Path to standard configuration

CONFIG_FILE="/nsconfig/ns.conf"

Check if config file exists

if [ ! -f "$CONFIG_FILE" ]; then echo "Error: Configuration file not found at $CONFIG_FILE" exit 1 fi

Search for SAML IDP profiles

if grep -q "add authentication samlIdPProfile" "$CONFIG_FILE"; then echo "[WARNING] Vulnerable Configuration Detected." echo "SAML IDP Profiles found in $CONFIG_FILE:" grep "add authentication samlIdPProfile" "$CONFIG_FILE" echo "" echo "ACTION REQUIRED:" echo "1. Review and apply the latest Citrix Build for CVE-2026-3055 immediately." echo "2. If SAML IDP is not required, remove the configuration." else echo "[INFO] No SAML IDP profiles detected. Default configuration appears safe from CVE-2026-3055." fi

Check current version (Requires root context usually)

echo "Current Version Info:" show ns version | head -n 5

Remediation

1. Patch Immediately: Apply the updated builds from the Citrix Security Advisory specific to CVE-2026-3055. Do not delay.
2. Configuration Review: Audit your NetScaler configurations to confirm if you are utilizing the SAML Identity Provider (IdP) functionality. You can check this via CLI: show authentication samlidpprofile.
3. Workaround: If patching is not immediately possible and SAML IdP is not a business-critical requirement, temporarily remove the SAML IdP configuration or bind to mitigate the exposure vector.
4. Post-Patch Verification: Run the provided remediation script to ensure the configuration aligns with security best practices and verify that the new build is installed.

Official Advisory: Citrix Security Advisory for CVE-2026-3055

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub