Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

CitrixBleed 3 lands on SAML broker

3 min read
08:16UTC

CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.

TechnologyAssessed
Key takeaway

Three CitrixBleed variants in thirty months point to a structural flaw, not three isolated bugs.

Citrix disclosed CVE-2026-3055 on 23 March 2026, an unauthenticated memory overread in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances configured as a Security Assertion Markup Language (SAML) Identity Provider, with a Common Vulnerability Scoring System (CVSS) v4.0 score of 9.3 1. A Common Vulnerabilities and Exposures (CVE) number is the public identifier assigned to a given software flaw; the CVSS score rates severity from 0 to 10. Researchers are already calling the new flaw CitrixBleed 3. The attack shape is familiar from the 2023 original: a crafted SAMLRequest to the `/SAML/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal cyber defence agency, added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue on 28 March with a 2 April deadline for federal civilian agencies to patch. The KEV catalogue is the authoritative list of bugs confirmed to be exploited in the wild; a place on it triggers a Binding Operational Directive that carries statutory force inside the federal government. Security research firm WatchTowr has detected active reconnaissance in the wild, and the UK National Cyber Security Centre (NCSC), the operational arm of GCHQ, issued a patching advisory to UK operators on 25 March.

Mandiant's incident response on the 2023 CitrixBleed recorded exploitation by the LockBit ransomware affiliate and multiple Advanced Persistent Threat (APT) groups within weeks of public disclosure. CitrixBleed 2 followed in 2024 on the same appliance family. Three serial critical memory-management bugs in thirty months, with the same structural pattern around SAML request parsing, stops being a coincidence. For the enterprises running NetScaler as their SAML broker for single sign-on, which means NetScaler fronts every other authentication decision inside the estate, the appliance is now a top-tier item on the 2026 architecture review, not a patch-management ticket.

Deep Analysis

In plain English

NetScaler is a piece of network equipment made by Citrix that many large companies use as a security gateway: it sits at the entrance to corporate systems and handles user logins. Think of it as the electronic reception desk that checks whether someone's badge is valid before letting them into the building. CVE-2026-3055 is a flaw in how NetScaler processes a specific type of login request. A hacker can send a specially crafted login attempt that causes the equipment to accidentally leak a chunk of its own memory, and that memory contains the digital equivalent of master keys that allow the hacker to log in as a real user without knowing their password. This is the third time in about two and a half years that Citrix has had to patch a critical flaw of this type in the same product. Researchers have already spotted attackers probing for vulnerable systems, which usually means mass exploitation follows within weeks.

Deep Analysis
Root Causes

NetScaler appliances function as SAML Identity Providers for thousands of enterprise single sign-on deployments. The SAML assertion parser runs in a privileged execution context inside the appliance firmware. Memory overread in that context leaks session tokens rather than crashing the service, because the parser is designed to continue operating gracefully on malformed inputs.

The market dynamic compounds the technical problem: NetScaler is a long-cycle enterprise asset. Organisations that replaced their Cisco VPN concentrators with NetScaler in the 2015-2020 era now face a three-serial-CVE appliance in front of every other authentication decision they make, with upgrade cycles measured in financial-year budget cycles rather than weeks.

What could happen next?
  • Risk

    The WatchTowr reconnaissance confirmation, combined with the 21-day CitrixBleed 2023 exploitation arc, puts mass exploitation of CVE-2026-3055 within the Watch For window, potentially before many enterprise patch cycles complete.

  • Consequence

    Three serial critical CVEs in NetScaler SAML processing will accelerate enterprise architecture reviews of whether NetScaler should remain as the SAML broker, benefiting competing identity-plane vendors.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Citrix· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.