New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

A new CitrixBleed-like vulnerability has been exploited by threat actors barely 24 hours after its public disclosure. The bug, tracked as CVE-2026-8451 with a CVSS score of 8.8, affects NetScaler ADC and NetScaler Gateways configured as SAML IDP, allowing attackers to access sensitive information without authentication.

The vulnerability was discovered in the XML parser of NetScaler appliances, which fails to terminate unquoted XML attribute values when followed by a newline character. This oversight allows the parser to read beyond its intended buffer, causing memory disclosure and exposing sensitive data stored in the NSC_TASS cookie. This flaw can be exploited without requiring authentication, making it particularly concerning for organizations that rely on these appliances.

The security community was quick to respond after Citrix released patches on June 30th, with watchTowr publishing technical details of the vulnerability and providing a detection artefact generator. However, this swift response was met with immediate exploitation by threat actors, as reported by Scottish cybersecurity firm Lupovis. Initial scanning activity originated from an IP hosted in Frankfurt, Germany, using what is likely a disposable or purpose-built scanning node.

Within just five hours, multiple Lupovis sensors were targeted, and a payload was dropped on the sensor that responded with a 200 response. The payload included a “bare tag padded with 476 spaces followed by a newline”, matching the overread variant in watchTowr’s detection artefact generator. This behavior was repeated by a second threat actor, probing for exposed NetScaler instances from an IP address hosted on Koapu Cloud HK infrastructure.

The rapid exploitation of this vulnerability highlights the importance of patching and proper security configuration. Organizations using NetScaler appliances are advised to apply the latest patches or disable SAML IDP if immediate patching is not possible. Furthermore, they should monitor logs for /saml/login traffic, inspect request values, and check NSC_TASS cookie values to identify potential exploitation.

In light of this incident, it’s clear that cybersecurity professionals must remain vigilant and proactive in their defenses against emerging threats. Regularly reviewing and updating security configurations, staying informed about new vulnerabilities, and applying patches promptly can significantly reduce the risk of exploitation by threat actors.


Source: SecurityWeek — 2026-07-02