Exploit for Out-of-bounds Read in Citrix Netscaler_Application_Delivery_Controller CVE-2026-3055

Name: Exploit for Out-of-bounds Read in Citrix Netscaler_Application_Delivery_Controller CVE-2026-3055
Rating: 5 (107 reviews)
2026-04-01 | CVSS 9.8
## https://sploitus.com/exploit?id=F3C2CB2A-FD0A-5667-9816-F4F77D7B5320
# CVE-2026-3055 NetScaler SAML IdP check

Python helper to probe Citrix NetScaler / NetScaler Gateway appliances for [CVE-2026-3055](https://nvd.nist.gov/vuln/detail/CVE-2026-3055) (memory overread when acting as a **SAML Identity Provider**). Detection logic matches the public write-up from [watchTowr Labs](https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/).

## Prerequisites

- Python 3.10+
- Only applies to appliances **configured as a SAML IdP**. Gateways without that role typically return 404 on `/saml/login`; that means **not applicable** for this CVE, not “safe from all NetScaler issues.”

## Install

```bash
cd check-cve-2026-3055-netscaler
python3 -m venv .venv
source .venv/bin/activate   # Windows: .venv\Scripts\activate
pip install -r requirements.txt
```

## Usage

```bash
python check_cve_2026_3055.py --targets https://netscaler.example.com https://10.0.0.1
```

Optional:

- `--timeout SECONDS` — HTTP timeout (default: 10)

TLS certificate verification is **disabled** intentionally (common for lab/self-signed appliances).

## How to read results

| Outcome | Meaning |
|--------|---------|
| **POTENTIALLY VULNERABLE** | Response includes `NSC_TASS` cookie after the crafted POST (per watchTowr). **Patch.** |
| **PATCHED** | Body contains `Parsing of presented Assertion failed` (patched behavior in the article). |
| **NOT APPLICABLE** | No cookie and no patched marker (often HTTP 404) — SAML IdP path not in use or different response shape. |
| **UNREACHABLE** | Network / timeout / connection error. |

This is a **low-impact active check** (single POST to `/saml/login` plus a GET to `/metadata/samlidp/`). Use only on systems you are authorized to test.

## References

- [watchTowr: Citrix NetScaler CVE-2026-3055 Memory Overread](https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/)
- Citrix advisory and patched builds: follow vendor guidance for your track (e.g. 14.1-66.59+, 13.1-62.23+, as described in the article).

## License

Use at your own risk for authorized security assessment only.