Attackers began actively probing Citrix NetScaler appliances on March 27, 2026, targeting CVE-2026-3055 — an out-of-bounds read with a CVSS v4.0 score of 9.3. CISA added it to the Known Exploited Vulnerabilities catalog the same day, giving federal agencies until April 2 to patch. If you run NetScaler as a SAML Identity Provider and haven’t upgraded yet, that deadline is tomorrow.

What’s Vulnerable

CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML Identity Provider (SAML IDP). Default configurations are not affected — this is a conditional vulnerability, but SAML IDP is a very common deployment pattern for NetScaler acting as an enterprise SSO gateway.

The companion bug disclosed alongside it, CVE-2026-4368 (CVSS 7.7), is a race condition in the same products.

Affected versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Technical Details

The root cause is insufficient input validation in the /saml/login endpoint. When an HTTP request arrives at that endpoint with a wctx query parameter that is present but has no value and no = sign (e.g., GET /saml/login?wctx), the appliance fails to correctly bound-check a memory read via the NSC_TASS component. The result: data left in memory from a previous request — potentially including active session tokens — can be returned to the unauthenticated attacker.

This is a classic heap/stack disclosure bug. You don’t need credentials; you just need the appliance to be reachable and acting as a SAML IDP. The impact is credential-equivalent if a session token for an authenticated admin or user lands in the leaked memory region.

What the Recon Looks Like

The active reconnaissance observed since March 27 has two stages. First, attackers are hitting /cgi/GetAuthMethods to fingerprint which authentication flows are enabled — specifically to confirm whether SAML IDP is active before committing to exploitation. Second, they’re sending crafted requests to /saml/login?wctx to trigger the overread.

If you have NetScaler edge devices exposed to the internet, check your access logs for hits on both of those paths from IPs you don’t recognize.

Why This Matters

NetScaler ADC sits at the network edge of a lot of enterprise environments. If it’s configured as your SAML IDP, it’s likely the trust anchor for a significant chunk of your authentication infrastructure. Leaking a session token from this device can allow an attacker to impersonate any recently-authenticated user — including admins — without touching Active Directory or your IdP backend. It’s a fast path to lateral movement with minimal forensic noise.

What to Do

  • Check your config first: Search your running configuration for add authentication samlIdPProfile. If that string appears, your appliance is in the vulnerable code path and you need to treat this as urgent.

  • Patch immediately: Upgrade to 14.1-66.59 or 13.1-62.23 (or 13.1-37.262 for FIPS/NDcPP variants). The CISA KEV deadline for federal agencies is April 2, 2026 — if you haven’t scheduled the maintenance window, do it now.

  • Check your access logs: Look for requests to /saml/login?wctx (with no value after wctx) and /cgi/GetAuthMethods from external IPs. If you see these, treat it as a potential active compromise and investigate session token validity.

  • If you can’t patch today: Citrix has not published a confirmed WAF rule, but blocking requests to /saml/login where the wctx parameter is present without a value is a reasonable temporary mitigating control. Validate with your security team before deploying.

  • Scope your exposure: If your NetScaler SAML IDP is only reachable from internal networks or VPN, your exposure is substantially lower — but still patch. The recon activity indicates organized threat actors have this on their list.

CVE-2026-4368 (race condition, CVSS 7.7) was disclosed simultaneously. Patching to the versions above addresses both.