CitrixBleed 3: Why a March NetScaler Bug Is Your June Emergency

Citrix shipped the fix for CVE-2026-3055 on 23 March 2026. CISA added it to the Known Exploited Vulnerabilities catalog seven days later. A Metasploit module landed on 31 March. By every metric a vulnerability-management dashboard tracks, this bug closed in the first quarter. And yet, in the first days of June, Fortinet's threat intelligence team confirmed large-scale exploitation against internet-facing NetScaler appliances configured as SAML identity providers. The gap between "patch available" and "attack over" is now eleven weeks wide and still open. That gap is the entire story.

The security community calls the bug CitrixBleed 3, and the name is a warning, not a joke. The original CitrixBleed (CVE-2023-4966) is one of the most consequential edge-appliance bugs of the decade — it gave LockBit affiliates the foothold behind the Boeing, Comcast and ICBC intrusions. CitrixBleed 2 followed in 2025. CVE-2026-3055 is the same vulnerability class, on the same box, with the same failure mode that turned the first one into a year-long incident: a patch that organizations apply without doing the one thing that actually evicts the attacker.

What CitrixBleed 3 (CVE-2026-3055) actually is

CVE-2026-3055 is an out-of-bounds read — Citrix's own bulletin (CTX696300) calls it a "memory overread" — in NetScaler ADC and NetScaler Gateway. It carries a CVSS v4 score of 9.3, and it is unauthenticated. There is no login, no token, no precondition on the attacker's side. There is exactly one precondition on yours: the appliance must be configured as a SAML identity provider.

That condition matters more than it sounds. SAML IDP is not an exotic setting. It is the default way enterprises wire NetScaler into single sign-on — the appliance becomes the thing that issues identity assertions to Microsoft 365, to Salesforce, to every federated SaaS in the estate. Plenty of teams enabled it as part of an SSO rollout months after the box was first deployed and pentested, and never thought about it again.

The exploit is mundane in the way the worst bugs always are. An attacker sends a malformed request to the SAML endpoints — /saml/login with the AssertionConsumerServiceURL parameter omitted, or /wsfed/passive?wctx with an empty wctx value — and the appliance answers with kilobytes of leftover process memory, base64-encoded inside the NSC_TASS response cookie. watchTowr's analysis places it squarely in the "same vulnerability class as CitrixBleed and CitrixBleed 2." Repeat the request and you get a different slice of memory each time. Iterate, and you reassemble whatever the appliance was recently holding: session tokens, valid SAML assertions, LDAP and Active Directory credentials.

Defender: "We patched NetScaler in March. The scanner is green." Attacker: "I pulled your CFO's session token out of process memory in April, before you patched. I'm still using it. Your scanner doesn't know my session exists."

That exchange is not hypothetical. It is the precise mechanism that made the first CitrixBleed a catastrophe, and nothing about the third variant changes it.

A patched appliance can still be wide open

Here is the detail that vulnerability-management tooling structurally cannot see, because it lives outside the patch model entirely.

When the memory overread leaks a session token, that token is a fully valid authentication credential. It is not a password you can rotate by forcing a reset; it is a live session that the appliance will honour until the session itself is terminated. Applying the firmware patch stops new leaks. It does nothing to the tokens already exfiltrated. As Citrix had to spell out during the original CitrixBleed, the patch must be followed by an explicit step: kill every active and persistent session before — or immediately after — the upgrade (BankInfoSecurity coverage of the NetScaler "kill sessions" guidance).

Most organizations did not do this in 2023. They patched, watched the scanner turn green, and moved on — while attackers replayed stolen tokens for weeks. There is no evidence the muscle memory has changed. A patched-but-not-session-flushed NetScaler in June 2026 is in exactly the state that made CitrixBleed a year-long incident: the front door is locked and the attacker is already inside, holding a key that the lock still accepts.

This is why the June exploitation wave is rational attacker behaviour, not a paradox. Two populations of vulnerable appliances exist eleven weeks after the patch:

• The still-unpatched. Edge appliances are notoriously slow to update because they sit in the critical path for remote access and nobody wants the maintenance window. Internet-wide scanning for the SAML endpoints is cheap, so attackers simply wait and harvest the laggards.
• The patched-but-not-flushed. Tokens stolen in the late-March window before patching remain valid on any box where sessions were never killed. The bleed is over; the access it produced is not.

The SAML IDP blast radius

The reason CitrixBleed 3 deserves more attention than a generic edge RCE is the identity-federation blast radius. When the leaked memory contains a valid SAML assertion, the attacker is not just inside the NetScaler. They are holding a forged-but-genuine claim of identity that every downstream service provider trusts by design. Federation means the SaaS estate does not re-verify the user; it trusts the IDP's word. Bleed the IDP, and you can impersonate a federated user across every connected application without ever touching those applications' own authentication.

That converts a single appliance memory bug into a tenant-wide identity compromise. It is the difference between "an attacker can read some memory" and "an attacker can be your domain admin in Microsoft 365." Leaked LDAP and AD credentials extend the same reach into the on-prem directory. This is the property that makes NetScaler — like every identity edge appliance — a disproportionately valuable target: one bug, the keys to everything that trusts it.

The timeline is the lesson

Date	Event
23 Mar 2026	Citrix discloses CVE-2026-3055 and CVE-2026-4368; patches released (CTX696300)
27 Mar 2026	CrowdSec observes the first exploitation traces
30 Mar 2026	CISA adds CVE-2026-3055 to the KEV catalog
31 Mar 2026	Public Metasploit module available
early Jun 2026	Fortinet confirms large-scale exploitation of SAML IDP appliances

Read top to bottom, the timeline indicts the point-in-time security model. Everything a quarterly process is designed to produce — disclosure, patch, KEV listing, an advisory to action — was complete by 31 March. An organization that ran its scheduled external pentest in February would have been told NetScaler was fine, because in February it was: the CVE did not exist and, on many boxes, the SAML IDP role had not yet been switched on. The exposure was created by a configuration change and sustained by an incomplete remediation, both of which happen in the long silence between scheduled assessments.

Why point-in-time testing misses CitrixBleed 3

A pentest is a photograph. CitrixBleed 3 is a film. The appliance that was clean in your Q1 assessment acquired a SAML IDP role in April, missed the firmware update in a deferred maintenance window, and was patched in May without a session flush. Three independent state changes, none of them visible to the assessment that signed off on the box months earlier. The annual or quarterly cadence does not have a frame for any of them.

What actually catches this is testing that runs as a continuous function of the live environment, not a calendar — testing that re-checks the identity edge when its configuration changes, that distinguishes "firmware patched" from "still exploitable because sessions were never invalidated," and that watches the wire for the exploitation pattern while it happens rather than reconstructing it from logs the next quarter.

This is where Zero Hunt is built for the exact shape of this problem. The 10-agent generative pentest swarm treats the perimeter as a moving target: its change-triggered campaigns fire when a new asset or a new service configuration appears, so a NetScaler that becomes a SAML IDP in April is re-tested in April — not at the next scheduled window. The Recon and Exploit agents generate a fresh exploit chain per target against the live configuration, so the question they answer is not "is this CVE patched in the abstract?" but "is this appliance, in this config, with these sessions, exploitable right now?" — including the post-patch session-replay case that a CVE-version check reports as closed. Every finding is backtested in the AI Gym before it runs in production and ECDSA-signed on write, so when the auditor asks why the identity edge was or wasn't exposed on a given day, the answer is a verifiable record, not a recollection.

The detection side closes the other half. Zero Hunt's AI Traffic Analysis — a deep-learning model with four inference heads running on the appliance GPU at 2.7+ Gbit/s, with no cloud callback — sees the CitrixBleed signature on the wire as it happens: the repeated malformed requests to the SAML endpoints, the anomalous NSC_TASS responses carrying base64 memory, and the replay of a session token from an ASN that the legitimate user has never originated from. That is the eleven-week window the dashboard could not see, observed in real time instead of reconstructed from next quarter's SIEM digest. A March CVE only becomes a June emergency when nobody is looking between the two. The point is to be looking.