Citrix: CitrixBleed Vulnerability Exploited by Hackers Within 24 Hours of Public Disclosure

Citrix: CitrixBleed Vulnerability Exploited by Hackers Within 24 Hours of Public Disclosure

CitrixBleed-Class Vulnerability Exploited Within Hours of Disclosure

A newly disclosed CitrixBleed-class vulnerability (CVE-2026-8451) in Citrix NetScaler appliances was actively exploited less than 24 hours after public disclosure, according to decoy infrastructure operator Lupovis. The flaw, part of a recurring series of memory-disclosure bugs in NetScaler’s SAML authentication parser, was targeted in a coordinated scanning campaign between 30 June and 1 July 2026.

A threat actor operating from IP 146.70.139[.]154 hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany probed three Lupovis sensors over a five-hour window. After receiving a 200 response from one sensor, the attacker delivered a confirmed CVE-2026-8451 exploitation payload, mirroring tactics observed in prior CitrixBleed incidents.

The vulnerability affects NetScaler ADC/Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18 when configured as a SAML Identity Provider (IdP). It stems from a flaw in NetScaler’s XML parser, which fails to properly terminate unquoted attribute values, leading to an out-of-bounds memory read that exposes session tokens via the NSC_TASS cookie.

The exploit payload, sent to POST /saml/login, consisted of a malformed samlp:AuthnRequest tag padded with 476 spaces a pattern designed to force the parser to read beyond its buffer. This technique aligns with the Detection Artifact Generator released by watchTowr Labs alongside Citrix’s advisory (CTX696604).

Notably, CVE-2026-8451 remains absent from CISA’s Known Exploited Vulnerabilities (KEV) catalog, despite active exploitation a repeat of past CitrixBleed incidents where in-the-wild attacks preceded formal KEV listings by weeks. Previous flaws in this family, such as CVE-2023-4966 (original CitrixBleed), led to high-profile breaches at Boeing, ICBC, and DP World within weeks of disclosure.

The attacker’s tooling, identified by the python-requests/2.32.5 User-Agent, validated targets before deploying payloads, a behavior consistent with opportunistic mass exploitation. The rapid exploitation underscores the persistent risk posed by CitrixBleed-style vulnerabilities, particularly for organizations relying solely on KEV-driven patch prioritization.

Source: https://cybersecuritynews.com/citrixbleed-vulnerability-exploited/

Citrix TPRM report: https://www.rankiteo.com/company/citrix

"id": "cit1783016843",
"linkid": "citrix",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology, Finance, Logistics, Others',
                        'location': 'Global',
                        'name': 'Citrix NetScaler ADC/Gateway users',
                        'type': 'Network Appliance'}],
 'attack_vector': 'Malformed SAML authentication request (POST /saml/login)',
 'data_breach': {'personally_identifiable_information': 'Session tokens '
                                                        '(indirect PII risk)',
                 'sensitivity_of_data': 'High (session hijacking risk)',
                 'type_of_data_compromised': 'Session tokens'},
 'date_detected': '2026-06-30',
 'date_publicly_disclosed': '2026-06-30',
 'description': 'A newly disclosed CitrixBleed-class vulnerability '
                '(CVE-2026-8451) in Citrix NetScaler appliances was actively '
                'exploited less than 24 hours after public disclosure. The '
                'flaw, part of a recurring series of memory-disclosure bugs in '
                'NetScaler’s SAML authentication parser, was targeted in a '
                'coordinated scanning campaign. The exploit payload delivered '
                'a malformed SAML request to extract session tokens via the '
                'NSC_TASS cookie.',
 'impact': {'data_compromised': 'Session tokens (NSC_TASS cookie)',
            'identity_theft_risk': 'High (session token exposure)',
            'systems_affected': 'Citrix NetScaler ADC/Gateway (SAML IdP '
                                'configurations)'},
 'initial_access_broker': {'entry_point': 'SAML authentication parser flaw '
                                          '(CVE-2026-8451)',
                           'reconnaissance_period': '5-hour scanning window '
                                                    '(30 June - 1 July 2026)'},
 'investigation_status': 'Ongoing (exploitation confirmed, no confirmed '
                         'breaches reported)',
 'lessons_learned': 'Rapid exploitation of CitrixBleed-class vulnerabilities '
                    'underscores the need for proactive patching beyond '
                    'KEV-driven prioritization. Organizations relying solely '
                    'on CISA KEV may face delays in mitigating actively '
                    'exploited flaws.',
 'motivation': 'Opportunistic mass exploitation',
 'post_incident_analysis': {'corrective_actions': 'Patch deployment, session '
                                                  'token rotation, SAML '
                                                  'request monitoring',
                            'root_causes': 'Flaw in NetScaler’s XML parser '
                                           '(unquoted attribute values leading '
                                           'to out-of-bounds memory read)'},
 'recommendations': ['Immediately patch NetScaler ADC/Gateway to versions '
                     '14.1-72.61 or 13.1-63.18',
                     'Monitor for malformed SAML requests targeting '
                     '/saml/login endpoints',
                     'Rotate session tokens post-patch to mitigate token '
                     'exposure risks',
                     'Adopt proactive vulnerability management beyond KEV '
                     'catalog reliance'],
 'references': [{'date_accessed': '2026-07-01', 'source': 'Lupovis'},
                {'date_accessed': '2026-06-30',
                 'source': 'Citrix Advisory (CTX696604)'},
                {'date_accessed': '2026-06-30',
                 'source': 'watchTowr Labs (Detection Artifact Generator)'}],
 'response': {'remediation_measures': 'Patch to NetScaler ADC/Gateway versions '
                                      '14.1-72.61 or 13.1-63.18',
              'third_party_assistance': 'Lupovis (decoy infrastructure '
                                        'operator)'},
 'threat_actor': 'Unknown (IP: 146.70.139[.]154, AS9009, M247 Europe SRL)',
 'title': 'CitrixBleed-Class Vulnerability (CVE-2026-8451) Exploited Within '
          'Hours of Disclosure',
 'type': 'Memory Disclosure Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-8451'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.