Seems to be exploited and confirmed by Defused
Created on 2026-03-29 17:36, updated on 2026-03-29 17:36, by sync_user🚨Citrix NetScaler CVE-2026-3055 is being actively exploited in the wild
Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie.
Our honeypot data shows exploitation activity from the same payload structure as the @watchtowrcyber PoC.
Track exploitation of our Citrix honeypots 👉 https://console.defusedcyber.com/capabilities
https://x.com/defusedcyber/status/2038266417091326156?s=46
Related vulnerabilities
Meta
[
{
"tags": [
"vulnerability:exploitability=industrialised",
"vulnerability:origin=software"
]
}
]