CVE-2026-3055: Citrix NetScaler CVSS 9.3 Flaw Now Has Metasploit Scanner

CVE-2026-3055 (a Critical-rated, CVSS v3.1 9.3, unauthenticated memory overread in Citrix NetScaler ADC and NetScaler Gateway) has been added to CISA's Known Exploited Vulnerabilities catalog and confirmed under active exploitation — and as of May 29, 2026, a public Metasploit scanner module is available that reduces mass detection of vulnerable appliances to a point-and-click operation. Organizations running NetScaler with SAML Identity Provider configuration who have not yet applied the patch are directly in scope.

// 01 CVE-2026-3055: Technical Details

CVE-2026-3055 (a critical authentication-bypass-adjacent memory disclosure flaw in Citrix NetScaler ADC and NetScaler Gateway, the Citrix application delivery and VPN platform used by thousands of enterprises for remote access) carries a CVSS v3.1 base score of 9.3 — Critical with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Breaking down what that vector means in practice:

• AV:N — Attack Vector: Network. The attacker sends malformed HTTP requests from anywhere on the internet.
• AC:L — Attack Complexity: Low. No race conditions, no special timing, no target-side preconditions beyond the configuration requirement.
• PR:N — Privileges Required: None. The attacker does not need any credentials or prior access to the appliance.
• UI:N — User Interaction: None. The attack is fully silent; no victim click or action is required.
• C:H/I:H/A:H — High Confidentiality, Integrity, and Availability impact, reflecting the ability to extract session tokens that grant lateral access to protected applications.

Root cause: When Citrix NetScaler ADC is configured as a SAML Identity Provider (SAML IDP — a role in which the appliance authenticates users for other services using the SAML 2.0 federated identity standard), it fails to properly enforce input boundaries when processing authentication requests. An attacker sends a malformed SAML request to the /saml/login endpoint with the AssertionConsumerServiceURL field omitted, or a malformed wFed (WS-Federation) request to /wsfed/passive?wctx with an empty wctx parameter. The kernel reads beyond the allocated buffer — an out-of-bounds read — into adjacent process memory.

The leaked data, which can include active session tokens, SAML assertions, LDAP credentials, and other sensitive runtime data, is returned to the attacker base64-encoded in the NSC_TASS HTTP response cookie. An attacker who decodes this cookie can replay the extracted session tokens to authenticate to applications protected by the compromised NetScaler, without ever possessing valid credentials.

Critically: only systems configured as SAML IDP are vulnerable. Citrix NetScaler ADC in default configuration is not affected. Organizations using NetScaler as a load balancer or in non-SAML-IDP modes should verify their configuration but are not in scope for CVE-2026-3055 exploitation.

Affected versions:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Patched versions: 14.1-66.59, 13.1-62.23, and 13.1-FIPS/NDcPP 13.1-37.262. Citrix's security advisory provides download links and upgrade instructions.

// 02 Exploitation Status and Threat Landscape

CVE-2026-3055 was publicly disclosed on March 23, 2026. Within four days — by March 27 — Rapid7 researchers observed active exploitation attempts against internet-exposed NetScaler appliances. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities (KEV) catalog on March 30, 2026 — KEV inclusion means that U.S. federal agencies were legally required to patch by the April 2, 2026, Binding Operational Directive deadline. Private organizations are not legally bound by BOD 22-01 but KEV inclusion is a strong signal of confirmed, weaponized exploitation.

The new development as of May 29, 2026 is the release of a public Metasploit scanner module: auxiliary/scanner/http/citrix_netscaler_cve_2026_3055, contributed to the Metasploit Framework by security researchers sfewer-r7 and watchTowr (PR #21204). Metasploit is a widely-used open-source penetration testing framework (software used by security professionals to identify and exploit vulnerabilities in authorized environments). The scanner module automates detection of vulnerable NetScaler appliances at scale:

# Using the new Metasploit scanner to identify exposed CVE-2026-3055 instances
use auxiliary/scanner/http/citrix_netscaler_cve_2026_3055
set RHOSTS <target_range>
run
# Returns: whether NSC_TASS cookie contains exfiltrated session data

While Metasploit scanner modules are primarily designed for authorized penetration testing and security assessments, the public availability of a ready-to-use scanner module significantly lowers the technical barrier for scanning campaigns by threat actors as well. Attackers who previously needed to write custom tooling to exploit CVE-2026-3055 can now run a single Metasploit command against a range of targets.

This mirrors the pattern observed after Metasploit modules were released for CitrixBleed (CVE-2023-4966) in late 2023, which preceded a wave of exploitation by ransomware groups including LockBit and ALPHV.

// 03 Who Is Affected

Organizations running any of the following configurations should treat this as a critical-priority patch:

• Citrix NetScaler ADC or NetScaler Gateway on versions listed as vulnerable above, configured with SAML IDP enabled
• Remote access deployments where NetScaler handles federated authentication for internal applications
• Managed service providers and cloud environments where NetScaler acts as a centralized SAML broker for multiple tenants

Organizations that do not use SAML IDP on their NetScaler appliances remain safe from this specific attack vector, though they should still evaluate patching given the severity rating and the breadth of Citrix's installed base as a recurring target.

// 04 What You Should Do Right Now

• Verify your NetScaler configuration for SAML IDP mode. Log into the Citrix ADC management interface (NSIP) and check whether a SAML Identity Provider policy is configured and bound to any virtual server. If SAML IDP is not configured, your appliance is not vulnerable to CVE-2026-3055 via this specific attack vector.

• Apply the patch immediately. Upgrade to 14.1-66.59, 13.1-62.23, or 13.1-FIPS 13.1-37.262 as appropriate for your branch. If patching cannot be completed immediately, disable SAML IDP configuration as a temporary workaround.

• Audit NetScaler access logs for the period since March 23, 2026 for malformed SAML requests to /saml/login or wsfed/passive?wctx with empty or missing parameters. Look for responses that set the NSC_TASS cookie where the request came from external, non-corporate IP addresses.

• Rotate any sessions, tokens, and credentials that could have been exposed via the NSC_TASS cookie exfiltration path, including SAML assertion signing keys, LDAP service account credentials, and any active application sessions that passed through the SAML IDP.

• Run an internal CVE-2026-3055 scan against your NetScaler appliances using the newly released Metasploit module in an authorized assessment context to confirm patch status before removing appliances from the immediate patch queue:

“bash msfconsole -q -x "use auxiliary/scanner/http/citrix_netscaler_cve_2026_3055; set RHOSTS <internal_range>; run; exit" “

• Enable network-layer detection. Alert on requests to /saml/login and /wsfed/passive that arrive without a valid AssertionConsumerServiceURL or with a valueless wctx parameter, particularly from non-corporate source IPs.

// 05 Background: Understanding the Risk

CVE-2026-3055 is the latest in a string of high-severity vulnerabilities affecting Citrix NetScaler ADC and Gateway. CitrixBleed (CVE-2023-4966), disclosed in 2023, was a near-identical class of vulnerability — an unauthenticated memory overread that leaked session tokens via HTTP response cookies — and was exploited by multiple ransomware groups to breach major organizations including Boeing, Allen & Overy, and the Industrial & Commercial Bank of China. The pattern is consistent: Citrix appliances are high-value targets because they sit at the network perimeter and handle authentication for a large number of internal applications.

SAML IDP (Security Assertion Markup Language Identity Provider) is the specific role that makes CVE-2026-3055 exploitable. SAML is the protocol that allows an enterprise to use a single trusted service — in this case, the NetScaler appliance — to authenticate users for many downstream applications (internal portals, SaaS services, partner integrations). When the IDP is compromised, every application that trusts it is simultaneously compromised as well. An attacker with a stolen SAML session token can move laterally across the entire federation without triggering password-based authentication controls.

The two-month gap between public disclosure (March 23) and the Metasploit scanner release (May 29) is consistent with the general timeline for weaponization of enterprise infrastructure vulnerabilities. Organizations that have not yet patched have already been operating in a window of confirmed exploitation; the new scanner module extends the risk surface to less sophisticated actors.

// 06 Conclusion

CVE-2026-3055 is a CISA KEV-listed Critical vulnerability that has been actively exploited for two months and now has a public Metasploit scanner — meaning any Citrix NetScaler ADC configured as a SAML IDP that remains unpatched should be treated as a confirmed compromise risk. Upgrade to 14.1-66.59 or 13.1-62.23 immediately; if patching is delayed, disable SAML IDP as a stopgap and begin credential rotation now.