Three CitrixBleeds in 30 months is not a streak, it is a code surface
CVE-2026-3055 is the third pre-auth memory disclosure in NetScaler's authentication stack in 30 months. Citrix says they are unrelated. The endpoints, the class, and the exploitation tempo say otherwise.
Citrix shipped the patch for CVE-2026-3055 on March 23, 2026. Four days later, watchTowr’s honeypots logged exploitation from known threat-actor infrastructure. Three days after that, CISA added it to KEV with a federal patch deadline of April 2. Three days for FCEB agencies to find every SAML IdP- or WS-Fed-configured NetScaler, schedule HA failover, upgrade, and invalidate every session token from the exposure window. The deadline was that tight because the exploitation telemetry left CISA no slack.
This is the third CitrixBleed. All three are pre-authentication. All three trigger on malformed input to an authentication-handling HTTP endpoint. All three return live process memory containing session tokens and credentials. All three reached CVSS 9.3 or higher. All three were mass-exploited within weeks of disclosure. watchTowr titled the CB3 writeup “The Sequels Are Never As Good, But We’re Still In Pain.” That is editorial fatigue from a firm that has covered every entry in the series. They are not the only ones who noticed.
The three CitrixBleeds, briefly
| Nickname | CVE | Vuln class | Endpoint | Disclosed | Exploited by |
|---|---|---|---|---|---|
| CitrixBleed 1 | CVE-2023-4966 | Buffer overread on oversized Host: header | /oauth/idp/.well-known/openid-configuration | Oct 2023 | LockBit, Medusa, Akira |
| CitrixBleed 2 | CVE-2025-5777 | Uninitialized variable, missing = on login field | POST /p/u/doAuthentication.do | Jun 2025 | RansomHub |
| CitrixBleed 3 | CVE-2026-3055 | OOB read, missing params on SAML and WS-Fed | /saml/login, /wsfed/passive | Mar 2026 | Multiple (KEV Mar 30, 2026) |
CB1 took down ICBC, Boeing, and DP World. CB2 prompted Kevin Beaumont to publish under “Electric Boogaloo” and to point to exploitation telemetry preceding Citrix’s stated discovery date. CB3 ships two distinct memory-overread primitives under one CVE: a POST /saml/login missing AssertionConsumerServiceURL, and a GET /wsfed/passive?wctx with a valueless wctx. Both write leaked memory into the NSC_TASS response cookie, base64-encoded. Legitimate values run under 512 bytes; exploitation responses routinely exceed 4 KB.
Bundling two parsers under one identifier obscures the audit story and complicates detection. Defenders watching only /saml/login would have missed half the attack surface.
Why this keeps happening
The substrate is consistent. NetScaler’s authentication stack lives in the NetScaler Packet Processing Engine (nsppe), the same C binary that CYFIRMA and Horizon3 placed CB2 in. CB3 lives in the SAML IdP and WS-Federation handlers in the same authentication pipeline; that is code-path proximity, not confirmed binary attribution, and no public writeup we found named the responsible binary for CB3. The pattern does not need the line numbers to match. C parsers in pre-auth paths repeatedly fail to validate input before reading memory. The substrate is the story; the specific bug is contingent.
Citrix’s CB2 advisory said CB1 and CB2 “are not related”. Researchers replied without saying it directly. Horizon3 titled their writeup “CitrixBleed 2 Write-Up, Maybe.” watchTowr wrote that CB3 “looks, smells, and quacks” like CB2 and framed it as “continuing a long-running theme of memory handling issues in edge appliances that sit directly in front of authentication systems,” noting that “memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory.” Two firms with different incentives reaching the same read in different words. That is a pattern.
The series is longer than three. The 30 months from CB1 to CB3 generated at least two more critical NetScaler memory bugs without a nickname: CVE-2025-6543, memory overflow to RCE exploited as a zero-day alongside CB2, and CVE-2025-7775, memory corruption to RCE disclosed in August 2025 and exploited in the wild. watchTowr also found a partial memory leak bundled with CVE-2025-12101 that Citrix declined to assign a separate CVE for, on grounds that the behavior stemmed from a misconfiguration. The post title was “Is It CitrixBleed4? Well, No. Is It Good? Also, No.” Refusing the CVE does not refuse the bug.
In January 2026, two months before CB3 disclosed, Citrix published “Security by design, proven by action with Citrix NetScaler,” describing memory protections, binary signing, threat modeling, and third-party source-code scanning as ongoing practice. A companion April 2025 post cited “runtime integrity and exploit resistance.” Both reference Citrix’s signing of CISA’s Secure by Design pledge.
Absent from either: a commitment to rewriting authentication-facing C parsers in a memory-safe language. A named fuzzing program for pre-auth HTTP input handlers. An external audit of nsppe. A timeline for eliminating the vulnerability class. The pledge is voluntary, the language is general, and the next CitrixBleed shipped 61 days after the January post. Stating intent is not the same as a roadmap a customer can hold you to.
What you should actually expect
Patching is the floor, not the ceiling. Fixed builds are 14.1-66.59, 13.1-62.23, and 13.1-FIPS/NDcPP 13.1-37.262. Anything earlier is exposed. Anything on 12.1 received no patch and should be treated as compromised and decommissioned.
Sessions leaked during the exposure window remain reusable. CERT-EU’s advisory publishes the kill sequence: kill aaa session -all, kill icaconnection -all, kill rdp connection -all, kill pcoipConnection -all, clear lb persistentSessions. Researchers investigating CB2 found that kill aaa session -all did not invalidate NSC_AAAC tokens on the older codebase; whether that gap persists in CB3 is unconfirmed. Plan for partial coverage. Rotate SAML signing certificates and re-import at every service provider. Rotate any LDAP bind credentials that may have lived in process memory.
Hunt the recon, not just the exploit. The observed attack pattern starts with GET /cgi/GetAuthMethods from a non-RFC-1918 source to confirm SAML IdP is enabled. The high-confidence IOC is POST /saml/login returning HTTP 200 with a Set-Cookie: NSC_TASS= value that exceeds 512 bytes. If you have header-level response logging at a WAF or reverse proxy, that is where the truth lives.
The strategic question is not whether to patch. It is whether NetScaler should remain the authentication edge. That role places nsppe directly in the path of every unauthenticated SSO and federation request, which is exactly where a memory disclosure becomes a session-token fire hose. Three exploited-in-wild bugs of the same class in 30 months, on the same binary, on the same category of endpoint, is a pattern that survives any individual fix. Moving authentication to an identity proxy that does not share nsppe’s attack surface is a longer conversation, and the one worth having before the next disclosure.
PatchDay Alert tracks KEV additions on the morning the gap matters.
Until the response changes, the pattern continues
Citrix shipped the patch on a Monday and was being exploited by Friday. The Secure by Design pledge predates the bug by two months. The third CitrixBleed is in CISA KEV with a three-day federal deadline. The pattern is not bad luck and it is not a streak. It is a code surface that keeps failing the same way, and a vendor response that has not yet named what it intends to do about it. Until the response changes, the next CitrixBleed is the one nobody has named yet.
Sources
- watchTowr Labs: The Sequels Are Never As Good, But We're Still In Pain
- watchTowr Labs: Please We Beg, Just One Weekend Free of Appliances (Part 2)
- Citrix Advisory CTX696300
- Citrix Advisory CTX693420 (CB2)
- Rapid7 ETR: CVE-2026-3055 NetScaler out-of-bounds read
- Picus Security: Inside the NetScaler CitrixBleed 3 memory overread
- BleepingComputer: CISA orders feds to patch actively exploited Citrix flaw by Thursday
- Censys advisory: CVE-2026-3055 exposure
- The Hacker News: Citrix NetScaler under active recon
- CERT-EU advisory 2026-003
- CYFIRMA: CVE-2025-5777 pre-auth memory leak in NetScaler (nsppe analysis)
- Horizon3: CitrixBleed 2 Write-Up, Maybe
- Kevin Beaumont: CitrixBleed 2 Electric Boogaloo
- watchTowr: Is It CitrixBleed4? Well, No. Is It Good? Also, No.
- Citrix Blogs: Security by design, proven by action with Citrix NetScaler (Jan 2026)
- Citrix Blogs: Citrix's approach to Secure by Design (Apr 2025)
- CISA BOD 26-02: Mitigating risk from end-of-support edge devices
- Qualys ThreatPROTECT: CVE-2026-3055 and CVE-2026-4368
Share
Related field notes
-
Five critical Fortinet CVEs in 28 months is not a streak of bad luck
Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked. The pattern in FortiOS and FortiProxy is structural, and patching alone has not been enough to remove attacker access.
-
Ivanti Connect Secure: the perimeter that keeps breaking
Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
-
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.
One email, every weekday morning.
You're in. Check your inbox.