Detect Citrix NetScaler Out-of-Bounds Read (CVE-2026-3055) in Splunk
Detects exploitation attempts targeting CVE-2026-3055, an out-of-bounds read vulnerability (CWE-125) in Citrix NetScaler ADC and NetScaler Gateway. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated remote attackers to read sensitive memory contents, potentially leading to information disclosure or enabling further attacks. Detection focuses on anomalous HTTP request patterns, NetScaler management plane access, and memory-related crash indicators.
MITRE ATT&CK
SPL Detection Query
index=network OR index=proxy OR index=citrix sourcetype IN (citrix:netscaler:syslog, citrix:netscaler:appfw, pan:traffic, cisco:asa)
| where (dest_host LIKE "%netscaler%" OR dest_host LIKE "%citrix%" OR dest_host LIKE "%gateway%" OR category="netscaler")
| where (uri_path LIKE "/vpn/%" OR uri_path LIKE "/citrix/%" OR uri_path LIKE "/logon/%" OR uri_path LIKE "/epa/%" OR uri_path LIKE "/rpc/%")
| eval request_length=len(uri_query), is_suspicious=if(request_length>512 OR match(uri_path, "(\.\./|%00|%2e%2e)"), 1, 0)
| where is_suspicious=1 OR http_method="OPTIONS"
| stats count AS request_count, dc(uri_path) AS unique_paths, values(http_method) AS methods, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, dest_host
| where request_count > 5
| eval risk=case(request_count > 100, "High", request_count > 20, "Medium", true(), "Low")
| sort -request_count
| table first_seen, last_seen, src_ip, dest_host, request_count, unique_paths, methods, riskSplunk query detecting suspicious request patterns targeting Citrix NetScaler VPN and gateway endpoints consistent with CVE-2026-3055 out-of-bounds read exploitation. Focuses on malformed URIs, path traversal, and high-volume probing from single sources.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or red team activities targeting NetScaler infrastructure
- Security vulnerability scanners (Qualys, Nessus, Tenable) performing scheduled scans
- Legitimate administrative scripts performing bulk configuration via management API
- CDN or reverse proxy health monitors generating OPTIONS requests to gateway endpoints
Other platforms for CVE-2026-3055
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2026-3055 OOB Read Probe via Malformed VPN Endpoint Request
Expected signal: NetScaler access logs showing requests to /vpn/ with URI length >600 characters and path traversal sequences. HTTP response codes 400, 404, or 500 depending on patch status. Network capture showing outbound TCP connection to NetScaler port 443 with anomalous URI in HTTP request.
- Test 2Null Byte Injection Against NetScaler Gateway Authentication Endpoint
Expected signal: 15 sequential POST requests to /cgi/login from single source IP within 15 seconds. Varying response sizes across requests if OOB read is triggerable. NetScaler AppFW violation logs for null byte detection if AppFW is enabled. Process monitoring showing nsppe or nsnetsvc CPU spikes.
- Test 3Response Size Anomaly Validation for OOB Memory Disclosure
Expected signal: Two HTTP requests from same source IP — one to /vpn/index.html (baseline) and one to /epa/ with encoded path traversal. If vulnerable, probe response will be larger than baseline or contain unexpected binary content. NetScaler logs show both requests with response sizes in bytes_out field.
Unlock Pro Content
Get the full detection package for CVE-2026-3055 including response playbook, investigation guide, and atomic red team tests.