NetScaler ‘CitrixBleed’ Flaw Exploited Within Hours
Attackers began scanning and exploiting CVE-2026-8451, an out-of-bounds read in Citrix NetScaler appliances configured as SAML IDPs, within 24 hours of disclosure and patches.
Threat actors began probing and exploiting CVE-2026-8451, an out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway appliances configured as SAML identity providers, within 24 hours of the flaw’s public disclosure and the vendor’s patch release on June 30.
The defect, assigned CVE-2026-8451 with a CVSS score of 8.8, was found in NetScaler’s XML parser. The parser failed to stop reading unquoted XML attribute values that were followed by a newline character. That behavior can cause the parser to read past the intended buffer and return leftover memory contents in HTTP responses via the NSC_TASS cookie.
A security firm published technical details and a detection artefact generator shortly after the patches became available. Within hours, at least one actor scanned exposed NetScaler instances from an IP hosted in Frankfurt and targeted multiple sensors over roughly five hours. On a sensor that returned an HTTP 200 OK for the expected endpoint, the actor immediately delivered a payload matching the published overread pattern. The payload used a bare <samlp:AuthnRequest> tag padded with 476 spaces followed by a newline. A second actor was later observed probing similar endpoints from a Koapu Cloud Hong Kong IP address.
Successful exploitation requires that the NetScaler appliance be configured as a SAML identity provider, but attackers do not need to authenticate to trigger the flaw. Devices exposed to the internet with SAML IDP enabled are therefore at risk of memory disclosure through the NSC_TASS cookie.
Organizations are advised to install Citrix’s June 30 patches as soon as possible. For environments where immediate patching is not feasible, administrators should disable SAML IDP functionality until updates are applied. Operators should also review traffic and logs for evidence of exploitation by checking for /saml/login requests, inspecting AuthnRequest values for anomalous padding, and examining NSC_TASS cookie contents for unexpected memory fragments.
Lupovis CEO Xavier Bellekens noted that both actors probed for the correct endpoint and, upon receiving a 200 OK with the expected response, delivered the payload immediately, illustrating rapid use of published detection artefacts by threat actors.




