Citrix NetScaler Memory Overread Vulnerability

Active Exploitation Observed in the Wild

Exploitation activity targeting vulnerable Citrix NetScaler ADC and Gateway appliances remains persistent and widespread, with FortiGuard Labs telemetry continuously observing attack attempts from global sources probing exposed NetScaler SAML endpoints for vulnerable configurations. Analysis from FortiGuard IPS sensors shows sustained targeting of internet-facing NetScaler deployments configured as SAML Identity Providers (IdP). Attackers continue using malformed authentication requests to exploit the memory overread condition associated with CVE-2026-3055, potentially exposing sensitive session data, authentication tokens, and credential material. Learn More »

Common Vulnerabilities and Exposures

Background

Telemetry collected over the past 30 days (as of the publication date) shows sustained exploitation activity, with FortiGuard IPS sensors frequently detecting over 2,000 blocked CVE-2026-3055 attack attempts per day and peaks exceeding 2,700 daily events. The activity primarily targets exposed NetScaler SAML services across the Technology, Telecom, Automotive, MSSP, and Government sectors, with the highest concentration of attacks observed in Germany, Hong Kong, France, the United States, and Poland.

The vulnerability exists due to insufficient validation of user-supplied parameters during SAML authentication processing. Crafted requests sent to vulnerable SAML endpoints can trigger memory overread conditions, causing portions of process memory to be returned to the attacker.

The vulnerability has received a CVSS v4 score of 9.3 (Critical) and has been added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation activity. Most observed activity involves opportunistic scanning and automated exploitation attempts originating from rapidly changing infrastructure, including VPS providers, botnets, and anonymized networks.