7JUN

CitrixBleed 3 lands on SAML broker

3 min read

10:08UTC

CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three CitrixBleed variants in thirty months point to a structural flaw, not three isolated bugs.

Citrix disclosed CVE-2026-3055 on 23 March 2026, an unauthenticated memory overread in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances configured as a Security Assertion Markup Language (SAML) Identity Provider, with a Common Vulnerability Scoring System (CVSS) v4.0 score of 9.3 ¹. A Common Vulnerabilities and Exposures (CVE) number is the public identifier assigned to a given software flaw; the CVSS score rates severity from 0 to 10. Researchers are already calling the new flaw CitrixBleed 3. The attack shape is familiar from the 2023 original: a crafted SAMLRequest to the `/SAML/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal cyber defence agency, added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue on 28 March with a 2 April deadline for federal civilian agencies to patch. The KEV catalogue is the authoritative list of bugs confirmed to be exploited in the wild; a place on it triggers a Binding Operational Directive that carries statutory force inside the federal government. Security research firm WatchTowr has detected active reconnaissance in the wild, and the UK National Cyber Security Centre (NCSC), the operational arm of GCHQ, issued a patching advisory to UK operators on 25 March.

Mandiant's incident response on the 2023 CitrixBleed recorded exploitation by the LockBit ransomware affiliate and multiple Advanced Persistent Threat (APT) groups within weeks of public disclosure. CitrixBleed 2 followed in 2024 on the same appliance family. Three serial critical memory-management bugs in thirty months, with the same structural pattern around SAML request parsing, stops being a coincidence. For the enterprises running NetScaler as their SAML broker for single sign-on, which means NetScaler fronts every other authentication decision inside the estate, the appliance is now a top-tier item on the 2026 architecture review, not a patch-management ticket.

Deep Analysis

In plain English

NetScaler is a piece of network equipment made by Citrix that many large companies use as a security gateway: it sits at the entrance to corporate systems and handles user logins. Think of it as the electronic reception desk that checks whether someone's badge is valid before letting them into the building. CVE-2026-3055 is a flaw in how NetScaler processes a specific type of login request. A hacker can send a specially crafted login attempt that causes the equipment to accidentally leak a chunk of its own memory, and that memory contains the digital equivalent of master keys that allow the hacker to log in as a real user without knowing their password. This is the third time in about two and a half years that Citrix has had to patch a critical flaw of this type in the same product. Researchers have already spotted attackers probing for vulnerable systems, which usually means mass exploitation follows within weeks.

Deep Analysis

Root Causes

NetScaler appliances function as SAML Identity Providers for thousands of enterprise single sign-on deployments. The SAML assertion parser runs in a privileged execution context inside the appliance firmware. Memory overread in that context leaks session tokens rather than crashing the service, because the parser is designed to continue operating gracefully on malformed inputs.

The market dynamic compounds the technical problem: NetScaler is a long-cycle enterprise asset. Organisations that replaced their Cisco VPN concentrators with NetScaler in the 2015-2020 era now face a three-serial-CVE appliance in front of every other authentication decision they make, with upgrade cycles measured in financial-year budget cycles rather than weeks.

What could happen next?

Risk
The WatchTowr reconnaissance confirmation, combined with the 21-day CitrixBleed 2023 exploitation arc, puts mass exploitation of CVE-2026-3055 within the Watch For window, potentially before many enterprise patch cycles complete.
Consequence
Three serial critical CVEs in NetScaler SAML processing will accelerate enterprise architecture reviews of whether NetScaler should remain as the SAML broker, benefiting competing identity-plane vendors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2023-4966, the original CitrixBleed, was disclosed in October 2023 and exploited by LockBit, Medusa, and at least four APT groups within weeks of CISA's KEV addition. The exploitation arc from reconnaissance to mass exploitation took approximately 21 days in 2023. WatchTowr's confirmation of active reconnaissance of CVE-2026-3055 before mass exploitation was public places this iteration at the same early stage in that same arc.

Counter-parallel: The 2021 Microsoft Exchange ProxyLogon series (CVE-2021-26855 and three companion CVEs) also involved a chain of memory-handling bugs in a widely-deployed authentication intermediary. Microsoft patched all four in a single release once the structural root cause was identified. Citrix has not yet publicly characterised whether CVE-2026-3055 shares the same root cause as its predecessors, which is itself an informative absence.

Consensus view: Palo Alto Unit 42 and Mandiant both document the structural pattern: three critical memory-disclosure CVEs in NetScaler's SAML processing path across 30 months indicate a shared root cause in how the `NSC_TASS` session-cookie handler manages assertion parser memory, rather than three independent bugs. Unit 42's NetScaler threat intelligence series treats CitrixBleed 3 as a continuation of a known exploitation chain, not a novel attack surface.

Counter-view: ENISA's 2025 threat report assesses that SAML-broker vulnerability patterns in European enterprise estates disproportionately affect mid-market organisations that lack the patch automation infrastructure of large enterprises, arguing the deployment gap, not the vulnerability cadence, is the primary risk driver.

Key tension: Whether Citrix can resolve the underlying memory-management problem in NetScaler's SAML processing code through incremental patches, or whether the architectural decision to handle SAML parsing in C-level appliance firmware makes further variants structurally inevitable.

Sources:Citrix·ENISA

Mentions:Citrix →NetScaler ADC →CISA →WatchTowr →NCSC →Prima →Mandiant →ENISA →Known Exploited Vulnerabilities →TASS →Microsoft →LockBit5 →Security Assertion Markup Language →Common Vulnerability Scoring System →GCHQ →CitrixBleed 3 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Citrix· 17 Apr 2026

Read original →

Causes and effects

Caused by

cPanel zero-day ran 65 days before patch; Sorry ransomware active

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 30 Apr 2026

Read story →

This Event

CitrixBleed 3 lands on SAML broker

Three serial critical memory overreads in the same product family, exploited in the appliance that fronts enterprise single sign-on, stops looking like three bugs.

Led to

CISA gives Cisco SD-WAN three days to patch

CISA three-day Cisco SD-WAN deadline follows the same emergency-KEV cadence previously applied to CitrixBleed 3 in ID:2544.

Occurred 20 Apr 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.