CVE-2026-3055

Name of the Vulnerable Software and Affected Versions NetScaler ADC versions prior to 14.1-60.58 NetScaler Gateway versions prior to 13.1-662.23

Description Insufficient input validation in the SAML processing module of NetScaler ADC and NetScaler Gateway, when configured as a SAML Identity Provider (IdP), leads to an out-of-bounds memory read. An unauthenticated remote attacker can exploit this by sending specially crafted SAML authentication requests with a malformed AttributeValue length. This causes the parser to read past the input buffer into the system's heap memory, potentially leaking sensitive data such as active session tokens, administrative credentials, plaintext cookies, and private cryptographic keys. This leak occurs during the pre-authentication phase, allowing attackers to bypass Multi-Factor Authentication (MFA) and hijack live user sessions. Approximately 30,000 instances are estimated to be internet-exposed globally. Real-world exploitation has been observed, including reconnaissance and active harvesting of tokens by threat actors.

Recommendations Update NetScaler ADC to version 14.1-60.58 or later. Update NetScaler Gateway to version 13.1-662.23 or later. Perform a full reboot of the appliance after patching to clear the memory space. Terminate all active user sessions to invalidate any previously stolen tokens. Use the flush cache command to remove malicious SAML data. Rotate private keys used for SAML signing if a breach is suspected. As a temporary mitigation, restrict or disable the SAML IdP configuration if not strictly required.