Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)
watchTowr Labs • • business
Key Points:
- CVE-2026-3055 is not a single vulnerability but comprises at least two distinct memory overread flaws in Citrix NetScaler appliances, affecting endpoints /saml/login and /wsfed/passive?wctx.
- Exploitation requires the appliance to be configured as a SAML Identity Provider, a configuration considered insecure and ill-suited for NetScaler devices.
- In-the-wild exploitation has been observed since at least March 27th, with attackers leaking sensitive memory contents including administrative session IDs, effectively gaining unauthorized administrative access.
- The vulnerability allows attackers to trigger memory leaks by sending crafted requests with a specific wctx query parameter, resulting in base64-encoded sensitive data being returned in cookies.
- To aid defenders, watchTowr Labs has released a Detection Artifact Generator script to identify vulnerable Citrix NetScaler hosts, emphasizing the urgency for organizations to assess and remediate affected systems.
