Attackers are industrializing the exploitation of a memory overread flaw to hijack enterprise sessions and bypass multi-factor authentication. This vulnerability targets the perimeter gateway at its most sensitive point: the identity provider interface.
Tracked as CVE-2026-3055, this out-of-bounds read vulnerability impacts @[Citrix](urn:li:organization:1598) NetScaler ADC and Gateway appliances configured as SAML Identity Providers. By sending a crafted request to SAML-related endpoints, an unauthenticated attacker can leak sensitive memory data, including Base64-encoded session cookies and administrative IDs. This information allows for direct session takeover without triggering MFA prompts.
The exploitation of memory disclosure flaws in perimeter gateways has become a primary method for state-sponsored and criminal actors to achieve silent initial access. These attacks are often difficult to detect because they occur before a full authentication handshake is completed.
– Apply the security updates for NetScaler ADC and Gateway version 14.1-66.59 or 13.1-62.23 immediately.
– Conduct a retroactive audit of gateway logs for anomalous GET requests targeting /saml/login or /wsfed/passive.
– Implement session timeouts and force the re-authentication of all users following the application of the patch.
– Monitor for session cookies being used from geographic locations or IP ranges that do not match the original login event.
Perimeter identity gateways must be treated as zero-trust endpoints where every memory read is a potential exfiltration path. #CodeDefence #Citrix #NetScaler #SAML
/