CitrixBleed-Class Vulnerability Exploited Within Hours of Disclosure
A newly disclosed CitrixBleed-class vulnerability (CVE-2026-8451) in Citrix NetScaler appliances was actively exploited less than 24 hours after public disclosure, according to decoy infrastructure operator Lupovis. The flaw, part of a recurring series of memory-disclosure bugs in NetScaler’s SAML authentication parser, was targeted in a coordinated scanning campaign between 30 June and 1 July 2026.
A threat actor operating from IP 146.70.139[.]154 hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany probed three Lupovis sensors over a five-hour window. After receiving a 200 response from one sensor, the attacker delivered a confirmed CVE-2026-8451 exploitation payload, mirroring tactics observed in prior CitrixBleed incidents.
The vulnerability affects NetScaler ADC/Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18 when configured as a SAML Identity Provider (IdP). It stems from a flaw in NetScaler’s XML parser, which fails to properly terminate unquoted attribute values, leading to an out-of-bounds memory read that exposes session tokens via the NSC_TASS cookie.
The exploit payload, sent to POST /saml/login, consisted of a malformed samlp:AuthnRequest tag padded with 476 spaces a pattern designed to force the parser to read beyond its buffer. This technique aligns with the Detection Artifact Generator released by watchTowr Labs alongside Citrix’s advisory (CTX696604).
Notably, CVE-2026-8451 remains absent from CISA’s Known Exploited Vulnerabilities (KEV) catalog, despite active exploitation a repeat of past CitrixBleed incidents where in-the-wild attacks preceded formal KEV listings by weeks. Previous flaws in this family, such as CVE-2023-4966 (original CitrixBleed), led to high-profile breaches at Boeing, ICBC, and DP World within weeks of disclosure.
The attacker’s tooling, identified by the python-requests/2.32.5 User-Agent, validated targets before deploying payloads, a behavior consistent with opportunistic mass exploitation. The rapid exploitation underscores the persistent risk posed by CitrixBleed-style vulnerabilities, particularly for organizations relying solely on KEV-driven patch prioritization.
Source: https://cybersecuritynews.com/citrixbleed-vulnerability-exploited/
Citrix TPRM report: https://www.rankiteo.com/company/citrix
"id": "cit1783016843",
"linkid": "citrix",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology, Finance, Logistics, Others',
'location': 'Global',
'name': 'Citrix NetScaler ADC/Gateway users',
'type': 'Network Appliance'}],
'attack_vector': 'Malformed SAML authentication request (POST /saml/login)',
'data_breach': {'personally_identifiable_information': 'Session tokens '
'(indirect PII risk)',
'sensitivity_of_data': 'High (session hijacking risk)',
'type_of_data_compromised': 'Session tokens'},
'date_detected': '2026-06-30',
'date_publicly_disclosed': '2026-06-30',
'description': 'A newly disclosed CitrixBleed-class vulnerability '
'(CVE-2026-8451) in Citrix NetScaler appliances was actively '
'exploited less than 24 hours after public disclosure. The '
'flaw, part of a recurring series of memory-disclosure bugs in '
'NetScaler’s SAML authentication parser, was targeted in a '
'coordinated scanning campaign. The exploit payload delivered '
'a malformed SAML request to extract session tokens via the '
'NSC_TASS cookie.',
'impact': {'data_compromised': 'Session tokens (NSC_TASS cookie)',
'identity_theft_risk': 'High (session token exposure)',
'systems_affected': 'Citrix NetScaler ADC/Gateway (SAML IdP '
'configurations)'},
'initial_access_broker': {'entry_point': 'SAML authentication parser flaw '
'(CVE-2026-8451)',
'reconnaissance_period': '5-hour scanning window '
'(30 June - 1 July 2026)'},
'investigation_status': 'Ongoing (exploitation confirmed, no confirmed '
'breaches reported)',
'lessons_learned': 'Rapid exploitation of CitrixBleed-class vulnerabilities '
'underscores the need for proactive patching beyond '
'KEV-driven prioritization. Organizations relying solely '
'on CISA KEV may face delays in mitigating actively '
'exploited flaws.',
'motivation': 'Opportunistic mass exploitation',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, session '
'token rotation, SAML '
'request monitoring',
'root_causes': 'Flaw in NetScaler’s XML parser '
'(unquoted attribute values leading '
'to out-of-bounds memory read)'},
'recommendations': ['Immediately patch NetScaler ADC/Gateway to versions '
'14.1-72.61 or 13.1-63.18',
'Monitor for malformed SAML requests targeting '
'/saml/login endpoints',
'Rotate session tokens post-patch to mitigate token '
'exposure risks',
'Adopt proactive vulnerability management beyond KEV '
'catalog reliance'],
'references': [{'date_accessed': '2026-07-01', 'source': 'Lupovis'},
{'date_accessed': '2026-06-30',
'source': 'Citrix Advisory (CTX696604)'},
{'date_accessed': '2026-06-30',
'source': 'watchTowr Labs (Detection Artifact Generator)'}],
'response': {'remediation_measures': 'Patch to NetScaler ADC/Gateway versions '
'14.1-72.61 or 13.1-63.18',
'third_party_assistance': 'Lupovis (decoy infrastructure '
'operator)'},
'threat_actor': 'Unknown (IP: 146.70.139[.]154, AS9009, M247 Europe SRL)',
'title': 'CitrixBleed-Class Vulnerability (CVE-2026-8451) Exploited Within '
'Hours of Disclosure',
'type': 'Memory Disclosure Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-8451'}