A critical vulnerability in Citrix NetScaler appliances, identified as CVE-2026-8451 and dubbed ‘CitrixBleed,’ has been actively exploited by threat actors within 24 hours of its public disclosure. This rapid exploitation underscores the persistent security challenges associated with Citrix’s NetScaler products.
The vulnerability resides in NetScaler’s custom XML parser for SAML AuthnRequest documents. Due to improper handling of unquoted attribute values followed by a newline, an out-of-bounds read occurs, leading to memory disclosure. This flaw allows unauthenticated attackers to extract sensitive information, such as session tokens, from the affected systems.
CitrixBleed affects NetScaler ADC and Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, specifically when configured as SAML Identity Providers (IdP). The vulnerability’s unauthenticated nature and the potential for session hijacking make it particularly concerning for organizations relying on these appliances for secure access management.
Within a day of Citrix publishing advisory CTX696604 and the release of a Detection Artifact Generator for CVE-2026-8451 by watchTowr Labs, coordinated scanning and exploitation attempts were detected. Lupovis, a cybersecurity firm, observed a threat actor operating from IP address 146.70.139[.]154 targeting multiple sensor deployments between June 30 and July 1, 2026. The attacker probed various sensors, delivering the exploitation payload upon receiving a favorable response, indicating a systematic approach to identifying and compromising vulnerable systems.
This rapid exploitation mirrors previous incidents involving CitrixBleed vulnerabilities. For instance, the original CitrixBleed (CVE-2023-4966) in 2023 led to significant breaches at organizations like Boeing and ICBC shortly after disclosure. Similarly, CitrixBleed 2 (CVE-2025-5777) was actively exploited before public proof-of-concept disclosures, highlighting the urgency for prompt patching and proactive security measures.
Organizations utilizing affected NetScaler versions are strongly advised to apply the latest patches immediately. Additionally, implementing robust monitoring for unusual activity, especially related to SAML authentication processes, is crucial. Given the history of rapid exploitation associated with CitrixBleed vulnerabilities, a proactive and vigilant approach to security is essential to mitigate potential risks.
The recurrence of such vulnerabilities in Citrix’s NetScaler products raises concerns about the security of widely used enterprise networking solutions. It emphasizes the need for vendors to prioritize secure coding practices and thorough vulnerability assessments. For organizations, this serves as a reminder of the importance of timely patch management and the implementation of layered security defenses to protect against emerging threats.