Skip to content
.ca
sign in
5 mincritical

Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)

A second memory overread vulnerability has been identified in Citrix NetScaler appliances under CVE-2026-3055, affecting the '/wsfed/passive?wctx' endpoint. By sending a specially crafted GET request with an empty 'wctx' parameter, attackers can force the appliance to leak sensitive memory, including administrative session IDs, via the 'NSC_TASS' cookie. Active in-the-wild exploitation has been observed since late March.

Sens:ImmediateConf:highAnalyzed:2026-05-05Google

Authors: Aliz Hammond

ActorsUnknown threat actors
CVE-2026-3055SAML IDPCitrixBleedCitrix NetScalerMemory Overread

Source:Watchtowr

IOCs · 2
  • url
    /saml/loginAdditional vulnerable NetScaler endpoint associated with CVE-2026-3055 (detailed in Part 1).
  • url
    /wsfed/passive?wctxVulnerable NetScaler endpoint targeted for memory overread exploitation.

Detection / HunterGoogle

What Happened

Security researchers have found a second flaw hidden within a recently patched vulnerability (CVE-2026-3055) for Citrix NetScaler devices. Organizations using these devices for identity management (SAML IDP) are affected. This flaw allows attackers to steal sensitive memory from the device, which can include active administrator login sessions, giving them full control. Because hackers are already exploiting this in the wild, administrators should immediately apply the latest Citrix patches and check their systems for signs of compromise.

Key Takeaways

  • CVE-2026-3055 encompasses at least two distinct memory overread vulnerabilities in Citrix NetScaler appliances.
  • The newly detailed vulnerability targets the '/wsfed/passive?wctx' endpoint when the appliance is configured as a SAML IDP.
  • Exploitation involves sending a GET request with an empty 'wctx' parameter (lacking an '=' symbol), causing the appliance to leak kilobytes of memory.
  • Leaked memory is base64-encoded and returned in the 'NSC_TASS' HTTP cookie, potentially exposing active administrative session IDs.
  • In-the-wild exploitation by known threat actors has been observed starting March 27th.

Affected Systems

  • Citrix NetScaler appliances configured as a SAML IDP

Vulnerabilities (CVEs)

  • CVE-2026-3055

Attack Chain

The attacker identifies a Citrix NetScaler appliance configured as a SAML IDP. They send a crafted HTTP GET request to the '/wsfed/passive?wctx' endpoint, ensuring the 'wctx' parameter is present but lacks a value or equals sign. The vulnerable appliance fails to validate the parameter's data presence, reading out-of-bounds memory. This leaked memory, which can contain active administrative session IDs, is base64-encoded and returned to the attacker in the 'NSC_TASS' HTTP cookie.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Python PoC Script

The article provides a Python script (Detection Artifact Generator) to test endpoints for the memory overread vulnerability by checking the NSC_TASS cookie.

Detection Engineering Assessment

EDR Visibility: None — The vulnerability occurs within the memory space of a proprietary network appliance (NetScaler) where standard EDR agents cannot be installed. Network Visibility: High — The exploit relies on a specific, malformed HTTP GET request and returns large base64-encoded payloads in the NSC_TASS cookie, which can be inspected by WAFs or network monitoring tools. Detection Difficulty: Moderate — While the malformed request is distinct, the exfiltrated data is base64 encoded within a standard cookie, requiring inspection of HTTP headers and cookie sizes to detect anomalies.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Network traffic captures (PCAP)
  • NetScaler access logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for HTTP GET requests to '/wsfed/passive' containing the 'wctx' parameter without an equals sign or value.WAF logs, HTTP access logsInitial AccessLow
Identify unusually large 'NSC_TASS' cookies in HTTP responses from NetScaler appliances, which may indicate memory exfiltration.Network traffic analysis, WAF response inspectionExfiltrationMedium

Control Gaps

  • Lack of EDR support on network appliances
  • Insufficient input validation on the NetScaler SAML IDP endpoints

Key Behavioral Indicators

  • HTTP GET to '/wsfed/passive?wctx'
  • Large base64 strings in 'NSC_TASS' cookie

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply the latest security patches from Citrix for CVE-2026-3055.
  • Disable the SAML IDP configuration on NetScaler appliances if not strictly required.
  • Run the provided Python detection script against NetScaler instances to identify vulnerable hosts.

Infrastructure Hardening

  • Implement WAF rules to block requests to '/wsfed/passive' containing malformed 'wctx' parameters.
  • Restrict access to NetScaler management and authentication interfaces to trusted IP ranges.

User Protection

  • Invalidate all current administrative sessions and rotate credentials if exploitation is suspected.

Security Awareness

  • Monitor vendor advisories closely, as single CVEs may encompass multiple distinct vulnerabilities or endpoints.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1539 - Steal Web Session Cookie
  • T1005 - Data from Local System

Additional IOCs

  • Ips:
    • 192[.]168[.]80[.]125 - Lab IP address observed in PoC execution and hex dumps.
    • 192[.]168[.]80[.]1 - Lab IP address observed in PoC execution output.
    • 192[.]168[.]80[.]123 - Lab IP address observed in NetScaler UI and PoC execution output.
  • Domains:
    • a-fun-hostname-for-f5-to-mark-as-an-ioc[.]com - Example hostname provided in the article's HTTP request PoC.

Related