Overview
- Researchers say exploitation is underway, with honeypot evidence showing attacks by March 27 targeting vulnerable NetScaler appliances.
- CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog and set a near-term deadline for federal agencies to patch affected devices.
- Attackers send crafted SAML login requests that omit a key field to endpoints like /saml/login, causing the device to leak memory via a cookie and exposing admin session IDs that can enable takeover.
- The flaw affects customer-managed NetScaler ADC and Gateway only when configured as a SAML identity provider, and Citrix has released fixed firmware along with Global Deny List signatures for rapid mitigation.
- WatchTowr reports the CVE bundles multiple related memory overreads, including issues at /saml/login and /wsfed/passive, while ShadowServer counts tens of thousands of NetScaler and Gateway systems online with unclear exposure.