Attackers are industrializing the exploitation of a memory overread flaw to hijack enterprise sessions and bypass multi-factor authentication. This vulnerability targets the perimeter gateway at its most sensitive point: the identity provider interface.
CVE-2026-3055 is a critical out-of-bounds read vulnerability impacting @[Citrix](urn:li:organization:1598) NetScaler ADC and Gateway appliances configured as SAML Identity Providers. By sending crafted requests to SAML endpoints, an unauthenticated attacker can leak sensitive memory data, including administrative session IDs. This information allows for direct session takeover without triggering MFA prompts.
The exploitation of memory disclosure flaws in perimeter gateways has become a primary method for state-sponsored and criminal actors to achieve silent initial access. These attacks are exceptionally difficult to detect because the malicious requests often appear as legitimate, albeit malformed, authentication attempts.
– Apply the security updates for NetScaler ADC and Gateway version 14.1-66.59 or 13.1-62.23 immediately.
– Conduct a retroactive audit of gateway logs for anomalous GET requests targeting /saml/login or /wsfed/passive.
– Implement session timeouts and force the re-authentication of all users following the application of the patch.
– Monitor for session cookies being used from geographic locations or IP ranges that do not match the original login event.
Perimeter identity gateways must be treated as zero-trust endpoints where every memory read is a potential exfiltration path. #CodeDefence #Citrix #NetScaler #SAML
/