Citrix NetScaler under active recon - attackers fingerprinting SAML configs before exploitation (CVE-2026-3055)

Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.

Check

Check if you run NetScaler ADC or Gateway configured as a SAML identity provider.

Affected

NetScaler ADC/Gateway 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262.

Fix

Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. Patch immediately if configured as SAML IDP.