30APR

CitrixBleed 3 lands on SAML broker

3 min read

08:16UTC

CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three CitrixBleed variants in thirty months point to a structural flaw, not three isolated bugs.

Citrix disclosed CVE-2026-3055 on 23 March 2026, an unauthenticated memory overread in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances configured as a Security Assertion Markup Language (SAML) Identity Provider, with a Common Vulnerability Scoring System (CVSS) v4.0 score of 9.3 ¹. A Common Vulnerabilities and Exposures (CVE) number is the public identifier assigned to a given software flaw; the CVSS score rates severity from 0 to 10. Researchers are already calling the new flaw CitrixBleed 3. The attack shape is familiar from the 2023 original: a crafted SAMLRequest to the `/SAML/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal cyber defence agency, added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue on 28 March with a 2 April deadline for federal civilian agencies to patch. The KEV catalogue is the authoritative list of bugs confirmed to be exploited in the wild; a place on it triggers a Binding Operational Directive that carries statutory force inside the federal government. Security research firm WatchTowr has detected active reconnaissance in the wild, and the UK National Cyber Security Centre (NCSC), the operational arm of GCHQ, issued a patching advisory to UK operators on 25 March.

Mandiant's incident response on the 2023 CitrixBleed recorded exploitation by the LockBit ransomware affiliate and multiple Advanced Persistent Threat (APT) groups within weeks of public disclosure. CitrixBleed 2 followed in 2024 on the same appliance family. Three serial critical memory-management bugs in thirty months, with the same structural pattern around SAML request parsing, stops being a coincidence. For the enterprises running NetScaler as their SAML broker for single sign-on, which means NetScaler fronts every other authentication decision inside the estate, the appliance is now a top-tier item on the 2026 architecture review, not a patch-management ticket.

Deep Analysis

In plain English

NetScaler is a piece of network equipment made by Citrix that many large companies use as a security gateway: it sits at the entrance to corporate systems and handles user logins. Think of it as the electronic reception desk that checks whether someone's badge is valid before letting them into the building. CVE-2026-3055 is a flaw in how NetScaler processes a specific type of login request. A hacker can send a specially crafted login attempt that causes the equipment to accidentally leak a chunk of its own memory, and that memory contains the digital equivalent of master keys that allow the hacker to log in as a real user without knowing their password. This is the third time in about two and a half years that Citrix has had to patch a critical flaw of this type in the same product. Researchers have already spotted attackers probing for vulnerable systems, which usually means mass exploitation follows within weeks.

Deep Analysis

Root Causes

NetScaler appliances function as SAML Identity Providers for thousands of enterprise single sign-on deployments. The SAML assertion parser runs in a privileged execution context inside the appliance firmware. Memory overread in that context leaks session tokens rather than crashing the service, because the parser is designed to continue operating gracefully on malformed inputs.

The market dynamic compounds the technical problem: NetScaler is a long-cycle enterprise asset. Organisations that replaced their Cisco VPN concentrators with NetScaler in the 2015-2020 era now face a three-serial-CVE appliance in front of every other authentication decision they make, with upgrade cycles measured in financial-year budget cycles rather than weeks.

What could happen next?

Risk
The WatchTowr reconnaissance confirmation, combined with the 21-day CitrixBleed 2023 exploitation arc, puts mass exploitation of CVE-2026-3055 within the Watch For window, potentially before many enterprise patch cycles complete.
Consequence
Three serial critical CVEs in NetScaler SAML processing will accelerate enterprise architecture reviews of whether NetScaler should remain as the SAML broker, benefiting competing identity-plane vendors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2023-4966, the original CitrixBleed, was disclosed in October 2023 and exploited by LockBit, Medusa, and at least four APT groups within weeks of CISA's KEV addition. The exploitation arc from reconnaissance to mass exploitation took approximately 21 days in 2023. WatchTowr's confirmation of active reconnaissance of CVE-2026-3055 before mass exploitation was public places this iteration at the same early stage in that same arc.

Counter-parallel: The 2021 Microsoft Exchange ProxyLogon series (CVE-2021-26855 and three companion CVEs) also involved a chain of memory-handling bugs in a widely-deployed authentication intermediary. Microsoft patched all four in a single release once the structural root cause was identified. Citrix has not yet publicly characterised whether CVE-2026-3055 shares the same root cause as its predecessors, which is itself an informative absence.

Consensus view: Palo Alto Unit 42 and Mandiant both document the structural pattern: three critical memory-disclosure CVEs in NetScaler's SAML processing path across 30 months indicate a shared root cause in how the `NSC_TASS` session-cookie handler manages assertion parser memory, rather than three independent bugs. Unit 42's NetScaler threat intelligence series treats CitrixBleed 3 as a continuation of a known exploitation chain, not a novel attack surface.

Counter-view: ENISA's 2025 threat report assesses that SAML-broker vulnerability patterns in European enterprise estates disproportionately affect mid-market organisations that lack the patch automation infrastructure of large enterprises, arguing the deployment gap, not the vulnerability cadence, is the primary risk driver.

Key tension: Whether Citrix can resolve the underlying memory-management problem in NetScaler's SAML processing code through incremental patches, or whether the architectural decision to handle SAML parsing in C-level appliance firmware makes further variants structurally inevitable.

Sources:Citrix·ENISA

Mentions:Citrix →NetScaler ADC →CISA →WatchTowr →NCSC →Prima →Mandiant →ENISA →Known Exploited Vulnerabilities →TASS →Microsoft →LockBit5 →Security Assertion Markup Language →Common Vulnerability Scoring System →GCHQ →CitrixBleed 3 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Citrix· 17 Apr 2026

Read original →

Causes and effects

Caused by

cPanel zero-day ran 65 days before patch; Sorry ransomware active

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 30 Apr 2026

Read story →

This Event

CitrixBleed 3 lands on SAML broker

Three serial critical memory overreads in the same product family, exploited in the appliance that fronts enterprise single sign-on, stops looking like three bugs.

Led to

CISA gives Cisco SD-WAN three days to patch

CISA three-day Cisco SD-WAN deadline follows the same emergency-KEV cadence previously applied to CitrixBleed 3 in ID:2544.

Occurred 20 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.