What Happened
CVE-2026-3055 is a memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. Citrix patched the flaw in late March 2026. CISA added it to the Known Exploited Vulnerabilities catalog and set April 2, 2026 as the remediation deadline for Federal Civilian Executive Branch agencies. Active exploitation from confirmed threat actor source IPs was first observed on March 27, 2026.
The vulnerability exists in the NetScaler SAML Identity Provider implementation. An unauthenticated remote attacker sends a malformed HTTP request to the /saml/login endpoint with the AssertionConsumerServiceURL field omitted from the SAMLRequest body. The appliance returns a response containing the NSC_TASS cookie, which leaks raw memory contents from the appliance process. Leaked data includes session tokens, authentication credential fragments, and other sensitive information resident in appliance memory at the time of the request.
Exploitation requires no prior authentication or knowledge of user credentials. The attack is executable from the public internet against any internet-exposed NetScaler appliance operating in SAML IDP mode. Appliances not configured as SAML Identity Providers are not affected by this flaw.
Affected versions include NetScaler ADC and Gateway releases prior to 14.1-60.58, prior to 13.1-62.23, and prior to 13.1-37.262.
Why This Matters for Canadian Organizations
Citrix NetScaler ADC and Gateway rank among the most widely deployed network security appliances in Canadian enterprises, financial institutions, healthcare systems, and government networks. NetScaler serves as the primary application delivery controller, VPN gateway, and authentication chokepoint for enterprise-wide systems access in a large portion of major Canadian organizations.
A successful CVE-2026-3055 attack against a NetScaler SAML IDP exposes session tokens for all downstream SAML-connected applications. In typical enterprise deployments, this includes Microsoft 365, Salesforce, internal HR and financial systems, and Government of Canada applications. Stolen tokens allow attackers to authenticate directly to these systems without any user credentials, bypassing multi-factor authentication in most SAML federation configurations.
Federal departments and provincial government agencies operating NetScaler as a government identity federation gateway face direct exposure risk for public-sector application sessions. Healthcare organizations using NetScaler as the authentication gateway for electronic health record access face potential patient data exposure, triggering both federal PIPEDA and provincial health privacy reporting obligations.
Organizations whose NetScaler appliances were internet-accessible in SAML IDP mode between March 27 and the application of the available patch should treat all active sessions issued during this window as potentially compromised.
What to Do
Patch NetScaler ADC and Gateway to version 14.1-60.58 or later, 13.1-62.23 or later, or 13.1-37.262 or later immediately. If SAML Identity Provider configuration is not required for business operations, disable it at the appliance level as a compensating control.
Review NetScaler access logs for HTTP requests to /saml/login with missing or malformed AssertionConsumerServiceURL values, especially from external IP addresses over the past week. Invalidate all active sessions issued through the NetScaler SAML IDP since March 27 and force re-authentication across all downstream connected applications.
Audit SAML assertion logs for unusual federated authentication events across Microsoft 365, cloud platforms, and internal systems. Look for login activity from unexpected IP addresses or geographic locations following SAML assertions.
Report confirmed exploitation indicators to the Canadian Centre for Cyber Security at contact@cyber.gc.ca.
Source: BleepingComputer | The Hacker News
