14JUN

CitrixBleed 3 lands on SAML broker

3 min read

11:51UTC

CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three CitrixBleed variants in thirty months point to a structural flaw, not three isolated bugs.

Citrix disclosed CVE-2026-3055 on 23 March 2026, an unauthenticated memory overread in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances configured as a Security Assertion Markup Language (SAML) Identity Provider, with a Common Vulnerability Scoring System (CVSS) v4.0 score of 9.3 ¹. A Common Vulnerabilities and Exposures (CVE) number is the public identifier assigned to a given software flaw; the CVSS score rates severity from 0 to 10. Researchers are already calling the new flaw CitrixBleed 3. The attack shape is familiar from the 2023 original: a crafted SAMLRequest to the `/SAML/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal cyber defence agency, added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue on 28 March with a 2 April deadline for federal civilian agencies to patch. The KEV catalogue is the authoritative list of bugs confirmed to be exploited in the wild; a place on it triggers a Binding Operational Directive that carries statutory force inside the federal government. Security research firm WatchTowr has detected active reconnaissance in the wild, and the UK National Cyber Security Centre (NCSC), the operational arm of GCHQ, issued a patching advisory to UK operators on 25 March.

Mandiant's incident response on the 2023 CitrixBleed recorded exploitation by the LockBit ransomware affiliate and multiple Advanced Persistent Threat (APT) groups within weeks of public disclosure. CitrixBleed 2 followed in 2024 on the same appliance family. Three serial critical memory-management bugs in thirty months, with the same structural pattern around SAML request parsing, stops being a coincidence. For the enterprises running NetScaler as their SAML broker for single sign-on, which means NetScaler fronts every other authentication decision inside the estate, the appliance is now a top-tier item on the 2026 architecture review, not a patch-management ticket.

Deep Analysis

In plain English

NetScaler is a piece of network equipment made by Citrix that many large companies use as a security gateway: it sits at the entrance to corporate systems and handles user logins. Think of it as the electronic reception desk that checks whether someone's badge is valid before letting them into the building. CVE-2026-3055 is a flaw in how NetScaler processes a specific type of login request. A hacker can send a specially crafted login attempt that causes the equipment to accidentally leak a chunk of its own memory, and that memory contains the digital equivalent of master keys that allow the hacker to log in as a real user without knowing their password. This is the third time in about two and a half years that Citrix has had to patch a critical flaw of this type in the same product. Researchers have already spotted attackers probing for vulnerable systems, which usually means mass exploitation follows within weeks.

Deep Analysis

Root Causes

NetScaler appliances function as SAML Identity Providers for thousands of enterprise single sign-on deployments. The SAML assertion parser runs in a privileged execution context inside the appliance firmware. Memory overread in that context leaks session tokens rather than crashing the service, because the parser is designed to continue operating gracefully on malformed inputs.

The market dynamic compounds the technical problem: NetScaler is a long-cycle enterprise asset. Organisations that replaced their Cisco VPN concentrators with NetScaler in the 2015-2020 era now face a three-serial-CVE appliance in front of every other authentication decision they make, with upgrade cycles measured in financial-year budget cycles rather than weeks.

What could happen next?

Risk
The WatchTowr reconnaissance confirmation, combined with the 21-day CitrixBleed 2023 exploitation arc, puts mass exploitation of CVE-2026-3055 within the Watch For window, potentially before many enterprise patch cycles complete.
Consequence
Three serial critical CVEs in NetScaler SAML processing will accelerate enterprise architecture reviews of whether NetScaler should remain as the SAML broker, benefiting competing identity-plane vendors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2023-4966, the original CitrixBleed, was disclosed in October 2023 and exploited by LockBit, Medusa, and at least four APT groups within weeks of CISA's KEV addition. The exploitation arc from reconnaissance to mass exploitation took approximately 21 days in 2023. WatchTowr's confirmation of active reconnaissance of CVE-2026-3055 before mass exploitation was public places this iteration at the same early stage in that same arc.

Counter-parallel: The 2021 Microsoft Exchange ProxyLogon series (CVE-2021-26855 and three companion CVEs) also involved a chain of memory-handling bugs in a widely-deployed authentication intermediary. Microsoft patched all four in a single release once the structural root cause was identified. Citrix has not yet publicly characterised whether CVE-2026-3055 shares the same root cause as its predecessors, which is itself an informative absence.

Consensus view: Palo Alto Unit 42 and Mandiant both document the structural pattern: three critical memory-disclosure CVEs in NetScaler's SAML processing path across 30 months indicate a shared root cause in how the `NSC_TASS` session-cookie handler manages assertion parser memory, rather than three independent bugs. Unit 42's NetScaler threat intelligence series treats CitrixBleed 3 as a continuation of a known exploitation chain, not a novel attack surface.

Counter-view: ENISA's 2025 threat report assesses that SAML-broker vulnerability patterns in European enterprise estates disproportionately affect mid-market organisations that lack the patch automation infrastructure of large enterprises, arguing the deployment gap, not the vulnerability cadence, is the primary risk driver.

Key tension: Whether Citrix can resolve the underlying memory-management problem in NetScaler's SAML processing code through incremental patches, or whether the architectural decision to handle SAML parsing in C-level appliance firmware makes further variants structurally inevitable.

Sources:Citrix·ENISA

Mentions:Citrix →NetScaler ADC →CISA →WatchTowr →NCSC →Prima →Mandiant →ENISA →Known Exploited Vulnerabilities →TASS →Microsoft →LockBit5 →Security Assertion Markup Language →Common Vulnerability Scoring System →GCHQ →CitrixBleed 3 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Citrix· 17 Apr 2026

Read original →

Causes and effects

Caused by

cPanel zero-day ran 65 days before patch; Sorry ransomware active

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 30 Apr 2026

Read story →

This Event

CitrixBleed 3 lands on SAML broker

Three serial critical memory overreads in the same product family, exploited in the appliance that fronts enterprise single sign-on, stops looking like three bugs.

Led to

CISA gives Cisco SD-WAN three days to patch

CISA three-day Cisco SD-WAN deadline follows the same emergency-KEV cadence previously applied to CitrixBleed 3 in ID:2544.

Occurred 20 Apr 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.