CVE-2026-3055

Name of the Vulnerable Software and Affected Versions NetScaler ADC versions prior to 14.1-60.58 NetScaler Gateway versions prior to 14.1-60.58 NetScaler ADC versions prior to 13.1-662.23 NetScaler Gateway versions prior to 13.1-662.23

Description Insufficient input validation in NetScaler ADC and NetScaler Gateway, when configured as a SAML Identity Provider (IdP), leads to an out-of-bounds memory read. This issue allows unauthenticated remote attackers to leak sensitive process memory, including administrative session IDs, session tokens, credentials, and private cryptographic keys. The flaw is triggered by sending specially crafted SAML requests with malformed XML attributes or missing parameters to the '/saml/login' and '/wsfed/passive' endpoints. Leaked data is often returned base64-encoded within the NSC TASS cookie. Real-world exploitation has been confirmed since March 27, 2026, with reports of Iranian state actors (MuddyWater) scanning for exposed endpoints. Approximately 30,000 to 240,000 instances are estimated to be exposed globally.

Recommendations Update NetScaler ADC and NetScaler Gateway to versions 14.1-60.58 or 13.1-662.23 and later. A full reboot of the appliance is required after patching to clear potentially compromised memory. Terminate all active user sessions and perform a global logout post-patching. Clear the NetScaler cache using the flush cache command. Rotate private keys used for SAML signing if a breach is suspected. As a temporary mitigation, restrict access to the '/saml/login' and '/wsfed/passive' endpoints or disable the SAML IdP configuration if not required.