Fortinet FortiGuard Labs has issued a formal Outbreak Alert for CVE-2026-3055, a critical unauthenticated memory overread in Citrix NetScaler ADC and NetScaler Gateway. Despite patches being available since 23 March 2026, the alert confirms that thousands of attack attempts are now being detected and blocked daily against internet-exposed appliances configured as SAML Identity Providers. European enterprises that use Citrix for VPN access or Single Sign-On should treat this as an active incident, not a future risk.

What the vulnerability does

CVE-2026-3055 affects customer-managed NetScaler appliances only when the SAML IDP role is enabled. An unauthenticated attacker sends specially crafted requests to the SAML endpoint and causes the appliance to read beyond the intended memory boundary. Two exploitation paths have been documented:

• A malformed SAML request causes the appliance to embed stale process memory content inside the NSC_TASS cookie returned to the client. An attacker who captures this cookie receives raw memory that may contain session tokens, credentials, or other sensitive data.
• A request containing the wctx parameter without a value triggers a cleaner, more repeatable memory leak that threat actors have weaponised into automated scanning tools.

Neither path requires authentication and neither requires the victim to take any action. CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March 2026. Citrix’s own CVSS v4.0 score is 9.3. Third-party scoring puts it at 9.8.

Why Fortinet’s Outbreak Alert matters now

Outbreak Alerts from FortiGuard Labs are published when exploitation transitions from opportunistic probing to coordinated, high-volume campaigns. CrowdSec first observed exploitation traces on 27 March 2026, four days after Citrix published the patch. The FortiGuard alert now reports persistent exploitation attempts targeting exposed NetScaler SAML endpoints worldwide, at a volume that suggests automated tooling rather than manual attack chains.

Citrix-managed cloud services are explicitly not affected. The risk is concentrated in organisations running self-managed appliances, which is the dominant deployment model in European enterprise and public sector environments where data residency requirements often make self-managed infrastructure a procurement requirement.

Affected versions and patches

Patched versions are available on the Citrix support portal. Organisations should update to at least:

• NetScaler ADC 14.1 branch: 14.1-66.59 or later
• NetScaler ADC 13.1 branch: 13.1-62.23 or later
• NetScaler ADC 13.1 NDcPP: 13.1-37.262 or later

If upgrading immediately is not possible, SAML IDP functionality should be disabled on exposed appliances until patching is complete.

The European enterprise exposure

Citrix NetScaler is one of the most widely deployed remote access and SSO platforms in European enterprise environments, particularly in financial services, healthcare, and public administration, precisely the sectors where attackers extract the most value from session token and credential theft. Memory leaked from a NetScaler SAML endpoint typically contains material from active user sessions, meaning a successful exploit can give an attacker authenticated access to corporate applications without ever touching a password.

For organisations subject to NIS2, a breach originating from an unpatched known vulnerability with a CVE on the CISA KEV list is difficult to present as reasonable security practice. The directive’s Article 21 obligation to implement appropriate and proportionate technical measures explicitly covers patch management.

Organisations that have already patched should confirm patching was applied to all appliances in their estate, not just those in primary use. Secondary and standby appliances are a common gap.

If you need help auditing your NetScaler estate for CVE-2026-3055 exposure, validating your patch status, or designing a network architecture that limits the blast radius of future remote access vulnerabilities, contact Excello Digital. We work with European organisations to reduce their attack surface before incidents happen, not after.