Attackers are leveraging an unauthenticated memory overread vulnerability to bypass multi-factor authentication on enterprise gateways. This flaw specifically targets the most sensitive part of the perimeter: the identity provider service responsible for managing user sessions.
CVE-2026-3055 affects @[Citrix](urn:li:organization:1598) NetScaler ADC and Gateway appliances configured as SAML Identity Providers. By sending crafted requests to specific SAML endpoints, an attacker can leak administrative session IDs directly from system memory. This technique enables full session hijacking without the need for valid credentials or a secondary authentication factor. @[CISA](urn:li:organization:13010360) added this vulnerability to the KEV catalog following confirmed reports of in-the-wild abuse.
The recurrence of memory disclosure flaws in perimeter hardware suggests that legacy code handling complex XML and SAML protocols remains a critical failure point. Security teams often focus on patching RCE, but memory disclosure is frequently more dangerous because it allows for silent access that bypasses logs designed to flag failed login attempts.
– Apply the emergency security updates for NetScaler ADC and Gateway version 14.1-66.59 or 13.1-62.23.
– Monitor gateway logs for anomalous GET requests targeting SAML login endpoints from unfamiliar IP ranges.
– Terminate all active administrative sessions and force a re-authentication event once the patch is applied.
– Utilize Conditional Access policies to restrict administrative logins to known, verified corporate network blocks.
Perimeter identity services are the high-value pivot points for modern intrusions; their compromise grants immediate, trusted access to the internal network. #CodeDefence #Citrix #NetScaler #ZeroTrust
/