A Critical Citrix Vulnerability was Exploited in Just 24 Hours After Public Disclosure
A new vulnerability, tracked as CVE-2026-8451, has been exploited by threat actors just a day after its public disclosure. This bug affects NetScaler appliances configured as SAML IDP and allows attackers to gain access to sensitive information through an out-of-bounds read issue in the XML parser.
The vulnerability, which was discovered in Citrix’s NetScaler XML parser, occurs when the parser fails to terminate unquoted XML attribute values that are followed by a newline character. As a result, the parser reads past its intended buffer and returns memory contents in the NSC_TASS cookie of an HTTP response. This allows attackers to gain unauthorized access to sensitive information.
The good news is that Citrix released patches for this vulnerability on June 30th, but the bad news is that threat actors were quick to take advantage of it. Scottish cybersecurity firm Lupovis reported that they detected scanning activity originating from a disposable or purpose-built scanning node hosted in Frankfurt, Germany. The attackers used a payload that included a “bare
Lupovis observed multiple sensors being targeted within a five-hour window, and a payload was immediately dropped on the sensor that responded with a 200 response. This behavior suggests that at least one threat actor is actively exploiting this vulnerability to gain unauthorized access to sensitive information.
The exploitation of this vulnerability highlights the importance of timely patching and the need for organizations to stay vigilant in the face of emerging threats. Organizations affected by this vulnerability are advised to patch their NetScaler appliances immediately, or disable SAML IDP if patching is not possible. Additionally, they should check logs for /saml/login traffic, inspect the request values, and check NSC_TASS cookie values to identify exploitation.
It’s essential for organizations to stay informed about emerging threats and take proactive measures to protect themselves from attacks like this one. By doing so, they can reduce their risk of being compromised by threat actors exploiting vulnerabilities in their systems.
As a practical takeaway, we recommend that organizations prioritize patching their NetScaler appliances as soon as possible. If patching is not feasible, disabling SAML IDP is the next best course of action to prevent exploitation. Regularly monitoring system logs and checking for signs of malicious activity can also help identify potential threats in a timely manner.
Source: SecurityWeek — 2026-07-02