CitrixBleed returns: NetScaler flaw exploited within 24 hours
Citrix has patched six NetScaler ADC/Gateway vulnerabilities including CVE-2026-8451, a pre-authentication memory disclosure bug in SAML parsing that honeypots caught being exploited within a day of disclosure.
Citrix published a security bulletin on 30 June covering six vulnerabilities in NetScaler ADC and NetScaler Gateway, with CVSS scores from 6.9 to 8.8. The headline flaw, CVE-2026-8451 (CVSS 8.8), was found by Aliz Hammond and the watchTowr team: a malformed SAML authentication request causes NetScaler's XML parser to read beyond its buffer and return fragments of appliance memory to an unauthenticated attacker. It belongs to the same class as the 2023 CitrixBleed bug and shares a root cause with CVE-2026-3055, another NetScaler flaw exploited earlier this year.
The window between disclosure and abuse was effectively zero. Researchers at Lupovis observed an IP address in Frankfurt working through their honeypot sensors over a five-hour period on 30 June, dropping the exploit only on sensors that responded 200 OK — targeted exploitation, not generic scanning. Memory disclosure bugs of this class have historically leaked session tokens and credentials, which is what made the original CitrixBleed so damaging.
Only appliances configured as a SAML identity provider are exposed, but if that is you, treat this as urgent. Fixed builds are NetScaler ADC and Gateway 14.1-72.61 and later, 13.1-63.18 and later, and 14.1-FIPS 14.1-72.61 and later.
Patch now, then assume disclosure: check whether your NetScaler is configured as a SAML IdP, review authentication logs around the disclosure window, and rotate sessions and credentials that may have transited the appliance. The same bulletin also fixes an HTTP/2 bomb denial-of-service issue, so apply the full update rather than cherry-picking.
Source: CyberScoop. Details verified against the source at time of writing — always confirm current patch levels against the vendor's own advisory.
more news
Affected by this? Talk to an engineer.