Citrix patches critical NetScaler ADC bug

Citrix on March 23 released patches for a critical out-of-bounds-read bug in NetScaler ADC that security researchers from Rapid7 and watchTowr said will most certainly be exploited once exploit code becomes public in a few days.

The 9.3 flaw — CVE-2026-3055 — has been touted by researchers as similar to the CitrixBleed memory leak vulnerabilities from 2023 that saw LockBit use it against ICBC, Boeing, and DP World.

“Although Citrix states that the vulnerability was identified internally, it is reasonable to expect that threat actors will attempt to reverse engineer the patch to develop exploit capabilities,” watchTowr posted on its LinkedIn site yesterday. “Active watchTowr Platform clients have already been made aware of their exposure, and we are actively supporting remediation.”

Denis Calderone, co-founder and CTO at Suzu Labs, added that the one piece of good news is that this bug only affects NetScaler instances configured as a SAML Identity Provider, not default configurations. Calderone said SOC teams should search all NetScaler configs for “add authentication samlIdPProfile” and if it’s there, patch immediately.

“If you can't patch today, consider whether you can disable SAML IDP functionality as a temporary mitigation,” said Calderone.

Ryan Emmons, staff security researcher at Rapid7, said because this latest vulnerability was also assigned a critical-severity rating by Citrix, we can infer that CVE-2026-3055 also likely results in a similar level of sensitive memory disclosure that CitrixBleed (CVE-2023-4966) experienced in 2023. However, Emmons said it’s important to note that CVE-2026-3055 affects a non-default, but common, configuration.

“Per the Citrix advisory, defenders can inspect their NetScaler configuration for the specified string ‘add authentication samlIdPProfile .*’ to determine whether a system is in the vulnerable configuration,” said Emmons. “For any affected systems, Rapid7 advises patching on an emergency basis.”

Noelle Murata, senior security engineer at Xcape, Inc., explained that an out-of-bounds-read is essentially a digital pickpocketing maneuver in which an attacker sends a malformed request that tricks the system into reading past its intended memory buffer, returning "neighboring" data that should be private. In the context of a NetScaler device that sits at the edge of a network, Murata said this leaked memory often contains the crown jewels: active session tokens, administrative credentials, and SSL private keys.

“This is particularly dangerous because it requires no authentication to trigger and leaves almost no trace in standard logs,” said Murata. “We’ve seen this movie before with CitrixBleed in 2023: attackers will likely reverse-engineer the patch within 48 to 72 hours to create functional exploits."

Murata said SOC teams must immediately identify if their appliances are acting as SAML IdPs and prioritize patching those internet-facing units today. If patching isn't instant, they should restrict access via access control lists (ACLs) to "known-good" IP ranges. Once patched, security leaders should consider terminating all active sessions to invalidate any tokens that might have been siphoned in the lead-up to the fix.