Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 24, 2026 · 5 min read

Citrix NetScaler Has a 9.3 Severity Flaw That Leaks Memory to Anyone Who Asks

CVE-2026-3055 allows unauthenticated attackers to read sensitive data from NetScaler ADC and Gateway appliance memory. Citrix says no exploitation has been detected yet, but history suggests the clock is ticking.

A server room with blinking lights and network cables, a single rack highlighted with an amber warning glow

Two Vulnerabilities, One Urgent Patch

On March 23, 2026, Citrix published a security bulletin disclosing two vulnerabilities in NetScaler ADC and NetScaler Gateway, products used by enterprises worldwide to manage remote access, load balancing, and application delivery. The more severe of the two, CVE-2026-3055, carries a CVSS v4.0 score of 9.3 out of 10.

The flaw is an out of bounds memory read. An unauthenticated attacker can send a specially crafted request to a vulnerable appliance and read data from memory that should not be accessible. The only prerequisite is that the device must be configured as a SAML Identity Provider, a common setup in enterprise environments that use single sign on.

The second vulnerability, CVE-2026-4368 (CVSS 7.7), is a race condition that can cause session mixups between users. It affects devices configured as gateways or AAA virtual servers.

What Memory Leaks Can Expose

Out of bounds memory reads are dangerous because the data in appliance memory at any given moment is unpredictable. An attacker exploiting CVE-2026-3055 could potentially extract session tokens, authentication credentials, encryption keys, or configuration data, depending on what the appliance was processing at the time of the request.

This is the same class of vulnerability behind Heartbleed (CVE-2014-0160), which exposed session keys and private certificates from millions of OpenSSL servers. It is also the same class behind Citrix Bleed (CVE-2023-4966), a NetScaler flaw that allowed session token theft and was exploited by LockBit ransomware affiliates within days of its disclosure.

NetScaler's Track Record

Citrix NetScaler appliances have become a favorite initial access vector for threat actors. The pattern is well established:

  • CVE-2023-4966 (Citrix Bleed): Patched October 2023, exploited by LockBit 3.0 within weeks. CISA issued emergency guidance. Boeing was among the confirmed victims.
  • CVE-2023-3519: A remote code execution flaw exploited as a zero day before Citrix could issue a patch. Used to plant webshells on government and critical infrastructure networks.
  • CVE-2025-5777: Another critical NetScaler vulnerability that saw rapid exploitation after disclosure.

The pattern is consistent: Citrix discloses a critical vulnerability, and threat actors weaponize it before many organizations have applied the patch. NetScaler appliances sit at the network perimeter, making them an ideal entry point. Once compromised, an attacker can pivot into the internal network, steal credentials, and deploy ransomware.

Affected Versions and Detection

The following versions are vulnerable to CVE-2026-3055:

  • NetScaler ADC and Gateway 14.1 before 14.1-66.59
  • NetScaler ADC and Gateway 13.1 before 13.1-62.23
  • NetScaler ADC 13.1-FIPS before 13.1-37.262
  • NetScaler ADC 13.1-NDcPP before 13.1-37.262

To check if your appliance is configured as a SAML IDP, search the configuration for add authentication samlIdPProfile. For CVE-2026-4368, check for add vpn vserver or add authentication vserver.

Cloud managed instances are not affected. Only customer managed deployments require patching.

What You Should Do Now

If your organization runs NetScaler ADC or Gateway appliances:

  • Patch immediately. Update to the fixed versions listed in Citrix's security bulletin CTX696300. Do not wait for a scheduled maintenance window.
  • Audit SAML configurations. Determine which appliances are configured as SAML IDPs and prioritize those for patching.
  • Monitor for anomalous access. Review authentication logs for unusual session activity, particularly from unexpected IP addresses or geographies.
  • Rotate credentials. After patching, rotate any credentials or session tokens that may have been exposed through the memory leak.
  • Review network segmentation. Ensure that NetScaler appliances cannot be used as a pivot point into sensitive internal networks.

The Window Is Closing

Citrix says no exploitation has been detected yet. Arctic Wolf and Rapid7 have confirmed no public proof of concept exists as of March 24, 2026. But the history of NetScaler vulnerabilities makes one thing clear: the window between disclosure and active exploitation is shrinking. With Citrix Bleed and similar critical infrastructure vulnerabilities, ransomware groups have demonstrated they can weaponize these flaws in days, not weeks.

Every hour an unpatched NetScaler appliance sits exposed to the internet is an hour of risk that organizations can avoid by applying a patch that already exists. The same urgency applies to the recent Oracle Identity Manager emergency patch for CVE-2026-21992, another pre authentication RCE in critical infrastructure. The vulnerability has been disclosed. The fix is available. The only question is whether organizations will act before threat actors do.