Citrix NetScaler ADC and Gateway CVE-2026-3055 Exploitation
Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.
A critical vulnerability, CVE-2026-3055, impacts Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML identity providers (IDP). Disclosed on March 23, 2026, and actively exploited since at least March 27, 2026, this flaw allows attackers to perform memory overreads via the /saml/login and /wsfed/passive endpoints. Successful exploitation enables the extraction of sensitive information, including authenticated administrative session IDs. The vulnerability affects versions…
Detection coverage 2
Detect Access to Citrix NetScaler SAML Login Endpoint
highDetects access to the /saml/login endpoint of Citrix NetScaler, which is targeted by CVE-2026-3055 exploitation attempts.
Detect Access to Citrix NetScaler WSFED Passive Endpoint
highDetects access to the /wsfed/passive endpoint of Citrix NetScaler, which is targeted by CVE-2026-3055 exploitation attempts.
Detection queries are kept inside the platform. Get full rules →