{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3055/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3055"},{"id":"CVE-2026-4368"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["netscaler","cve-2026-3055","cve-2026-4368","out-of-bounds read","race condition","memory corruption","session hijacking"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCitrix NetScaler ADC and Gateway are affected by two critical vulnerabilities, CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 is an out-of-bounds read vulnerability that allows an unauthenticated attacker to read arbitrary memory content. This could lead to the exfiltration of sensitive data like credentials and session tokens. CVE-2026-4368 is a race condition vulnerability that can lead to user session mix-up, potentially allowing one user to access another user\u0026rsquo;s session. CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild as of March 30, 2026. The affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Defenders should prioritize patching and closely monitor affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to a vulnerable NetScaler ADC or Gateway configured as a SAML IDP (for CVE-2026-3055).\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the appliance attempts to read memory beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read allows the attacker to access sensitive information stored in memory, such as session tokens, credentials, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the gleaned sensitive information via network communication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-4368, multiple users attempt to authenticate to a NetScaler ADC or Gateway configured as a Gateway or AAA virtual server.\u003c/li\u003e\n\u003cli\u003eA race condition occurs during session creation or management.\u003c/li\u003e\n\u003cli\u003eOne user\u0026rsquo;s session is incorrectly associated with another user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to another user\u0026rsquo;s session, potentially performing actions on their behalf or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3055 allows attackers to steal sensitive information, potentially leading to account compromise, data breaches, and further unauthorized access to internal resources. CVE-2026-4368 can lead to unauthorized access to user accounts, potentially exposing sensitive data or enabling malicious activities under the guise of a legitimate user. Given that CISA has confirmed active exploitation of CVE-2026-3055, organizations using affected NetScaler products are at immediate risk. The impact spans across all sectors utilizing these products for application delivery and secure access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch NetScaler ADC and Gateway to the latest versions: 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-37.262 or later for FIPS and NDcPP to remediate CVE-2026-3055 and CVE-2026-4368 as described in the Citrix advisory (\u003ca href=\"https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\"\u003ehttps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-3055 GET Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-3055 based on suspicious HTTP GET requests targeting the SAML IDP.\u003c/li\u003e\n\u003cli\u003eEnable and review NetScaler audit logs for unusual authentication patterns or session activity that could indicate exploitation of CVE-2026-4368.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with abnormally long URIs, which may be indicative of attempts to trigger the out-of-bounds read in CVE-2026-3055.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-4368 POST Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-4368 based on suspicious HTTP POST requests targeting the Gateway or AAA virtual server\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T08:44:01Z","date_published":"2026-04-01T08:44:01Z","id":"/briefs/2026-04-netscaler-vulns/","summary":"Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.","title":"Critical Vulnerabilities in NetScaler ADC and Gateway Allow Sensitive Data Exposure and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-04-netscaler-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["citrix","netscaler","cve-2026-3055","memory-overread","information-disclosure"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-3055, impacts Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML identity providers (IDP). Disclosed on March 23, 2026, and actively exploited since at least March 27, 2026, this flaw allows attackers to perform memory overreads via the \u003ccode\u003e/saml/login\u003c/code\u003e and \u003ccode\u003e/wsfed/passive\u003c/code\u003e endpoints. Successful exploitation enables the extraction of sensitive information, including authenticated administrative session IDs. The vulnerability affects versions…\u003c/p\u003e\n","date_modified":"2026-03-31T12:00:00Z","date_published":"2026-03-31T12:00:00Z","id":"/briefs/2026-03-citrix-netscaler-cve-2026-3055/","summary":"Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.","title":"Citrix NetScaler ADC and Gateway CVE-2026-3055 Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-03-citrix-netscaler-cve-2026-3055/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3055","version":"https://jsonfeed.org/version/1.1"}