Citrix NetScaler Memory Flaw: From CitrixBleed to CVE-2026-3055, The Attack That Keeps Coming Back

History Repeating Live, Right Now

On March 27, 2026, threat actors began actively exploiting a newly disclosed critical memory vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. It had been publicly disclosed just one week earlier. The patch had been available for less than a week. And it was already being weaponized in the wild.

If this sounds familiar, it should. This is the fourth major memory-related vulnerability to tear through the NetScaler ecosystem since 2023. Each one followed the same pattern: disclosure, rapid exploitation, global breach activity, emergency patching, and organizations left scrambling. The newest entry - CVE-2026-3055 is so similar to its predecessors, which WatchTowr CEO Benjamin Harris described as "suspiciously similar to Citrix Bleed and Citrix Bleed 2, which continue to represent a trauma event for many."

This post covers the entire lineage from the original CitrixBleed (CVE-2023-4966) through the freshest active threat with full technical depth, detection rules, and the steps you need to take before you become the next incident report.

What Is the Citrix NetScaler Memory Flaw?

To understand why this class of vulnerability is so dangerous, you first need to understand what NetScaler is and why it matters.

Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are networking appliances used by enterprises worldwide to manage, secure, and accelerate application traffic. They sit at the edge of corporate networks handling VPN connections, load balancing, authentication, and secure remote access for employees. Think of them as the secure front door to an organization's entire internal infrastructure. Hundreds of thousands of organizations globally, including government agencies, hospitals, banks, and Fortune 500 companies, rely on them.

A memory vulnerability in this context means the appliance can be tricked into reading beyond the boundaries of a designated memory space, like a librarian accidentally reading from a shelf they weren't supposed to touch and returning that raw memory content to whoever sent the malicious request. The returned memory might contain session tokens, credentials, encryption keys, or anything else that happened to be in memory at that moment.

What makes this catastrophic: the attacker doesn't need a username, a password, or MFA credentials. They send a crafted request. NetScaler reads out of bounds. The attacker reads what falls out. If a valid session token is in that memory, they can use it to impersonate an authenticated user thus completely bypassing every access control the organization has built.

How the Citrix NetScaler Memory Flaw Works

The Root Cause: Out-of-Bounds Memory Read

The technical category is CWE-125: Out-of-Bounds Read - a class of bug where software reads data from a memory location beyond the intended buffer boundaries. In NetScaler's case, the root cause across multiple CVEs has been insufficient input validation. The appliance doesn't adequately verify that incoming request parameters contain valid, properly bounded data before processing them.

The CVE-2026-3055 Attack Chain

The current active vulnerability provides a clear example of how this class of flaw is exploited:

[Step 1] Reconnaissance

Attacker probes /cgi/GetAuthMethods

→ Enumerates authentication flows enabled on the appliance

→ Confirms target is configured as a SAML Identity Provider (SAML IDP)

[Step 2] Crafted Malicious Request

Attacker sends HTTP POST to /saml/login

→ SAMLRequest payload is crafted with the AssertionConsumerServiceURL field OMITTED

→ No value AND no '=' symbol present for this parameter

[Step 3] Insufficient Validation Triggers Memory Read

NetScaler checks only for the presence of the parameter, not for associated data

→ Appliance accesses the buffer associated with the empty variable

→ Reads adjacent, uninitialized or residual memory content ("dead memory")

[Step 4] Memory Leakage via NSC_TASS Cookie

Raw memory contents are returned in the HTTP response

→ Leaked data arrives Base64-encoded in the NSC_TASS cookie

→ Each request leaks a different slice of memory (dynamic allocation)

→ Sending the same request repeatedly harvests progressively larger memory contents

[Step 5] Session Token Extraction and Hijacking

Attacker parses leaked memory for valid session tokens

→ Extracts authenticated administrative session ID

→ Inserts token into browser or automation tooling

→ Achieves full admin access to the NetScaler appliance and no credentials required

The critical insight from WatchTowr's analysis: because the leaked memory is dynamic, an attacker doesn't get the same data twice. Repeated requests effectively allow continuous memory harvesting until a high-value token surfaces.

The Full CitrixBleed Family: Real-World Attack Cases

Citrix NetScaler memory vulnerabilities are not a new story. They are a recurring catastrophe, each chapter more impactful than the last.

1. CVE-2023-4966 CitrixBleed (CVSS 9.4)

   1. The original CitrixBleed was exploited as a zero-day starting August 2023, a full two months before Citrix disclosed it on October 10, 2023. The exploitation mechanism involved sending a large, crafted HTTP GET request with a manipulated Host header, causing the appliance to return system memory containing valid NetScaler AAA session cookies.

   2. The real-world damage was severe. High profile victims included Boeing, the Industrial & Commercial Bank of China (ICBC), DP World, and law firm Allen & Overy all compromised by LockBit 3.0 affiliates leveraging CitrixBleed as their initial access vector. After acquiring valid session cookies, LockBit 3.0 affiliates established authenticated sessions on NetScaler appliances without requiring a username, password, or MFA tokens, rendering every authentication control the organization had deployed completely irrelevant.

   3. A critical operational detail that caught many organizations off guard: Citrix warned that compromised sessions would remain active even after patching was applied, meaning patching alone was insufficient. All active sessions had to be manually terminated.
      

2. CVE-2025-5777 CitrixBleed 2 (CVSS 9.3)

   1. Disclosed in June 2025, CitrixBleed 2 repeated the formula. Due to improper handling of malformed input, Citrix NetScaler fails to initialize a memory variable correctly, leaking leftover stack memory content within the <InitialValue> XML element of the server response

   2. Citrix stated as of June 26, 2025, there was no evidence of exploitation. By July 10, 2025, CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation.
      

3. CVE-2026-3055 — The Active Threat (CVSS 9.3)

   1. The vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Exploitation requires the appliance to be configured as a SAML Identity Provider.

   2. Defused Cyber confirmed that attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie, with active exploitation attempts originating from known threat actor source IPs as of March 27, 2026.

Prevention & Best Practices

Patch immediately, there is no workaround. Unlike some vulnerabilities where a configuration change can temporarily mitigate risk, Citrix has confirmed no workaround or mitigation exists for CVE-2026-3055 beyond upgrading to a patched build. Organizations with vulnerable appliances exposed to the internet must treat this as an emergency.

Restrict management access aggressively. NetScaler management interfaces should never be internet-exposed. Restrict access to management endpoints to named management IP ranges only, using ACLs or a separate out-of-band management network.

Deploy WAF signatures for known exploit patterns. Web application firewall rules detecting malformed SAML requests, oversized login parameters, and repeated requests to authentication endpoints provide a meaningful detection and blocking layer while patching is in progress.

Terminate all active sessions after patching. This lesson from CitrixBleed 2023 still applies. Patch deployment does not invalidate sessions that were hijacked before the patch. Session termination is a mandatory post-patch step.

The Citrix NetScaler memory vulnerability family represents something uncomfortable about enterprise security: the assets we trust most to protect us - the gateway appliances, the VPN concentrators, the authentication controllers sitting at the perimeter are themselves high-value attack surfaces that receive sustained, sophisticated attention from the world's most capable threat actors.

Citrix NetScaler memory flaw is already being exploited. The time for proactive action was yesterday. The second best time is right now.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don't forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let's keep the conversation going and make cybersecurity a community effort!

-AJ