PROBABLYPWNED
VulnerabilitiesJuly 5, 20263 min read

Citrix NetScaler Hit by CitrixBleed-Style Flaw—Exploited Within Hours

CVE-2026-8451 and five other NetScaler vulnerabilities disclosed this week, with attackers already targeting SAML-configured appliances. Patch now.

Marcus Chen

Citrix released patches this week for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a pre-authentication memory overread that security researchers are already comparing to the infamous CitrixBleed flaw from 2023. Attackers began probing vulnerable systems within 24 hours of disclosure.

The most serious issue, CVE-2026-8451, carries a CVSS score of 8.8 and affects NetScaler appliances configured as SAML Identity Providers. Researchers at watchTowr drew explicit parallels to CVE-2023-4966 (CitrixBleed), which ransomware groups including LockBit exploited extensively throughout 2023 and 2024.

What Makes This Dangerous

The flaw stems from insufficient input validation that allows an out-of-bounds memory read when the appliance processes SAML authentication requests. An unauthenticated attacker can trigger the condition remotely, potentially leaking sensitive session data or authentication tokens—the same attack pattern that made CitrixBleed so devastating.

Lupovis detected a coordinated scanning campaign targeting SAML-configured NetScaler appliances within 24 hours of the advisory publication. The threat actor delivered confirmed CVE-2026-8451 exploitation payloads after validating targets, suggesting this isn't opportunistic scanning.

All Six Vulnerabilities

CVECVSSTypeConfiguration Required
CVE-2026-84518.8Memory overreadSAML IDP
CVE-2026-84528.8Memory overflowGateway or AAA virtual server
CVE-2026-86558.8Memory overflowOracle LB, DNS proxy, or DNS recursive resolver
CVE-2026-108167.7Path traversalNSIP/SNIP with management access
CVE-2026-108176.9Memory overreadTCP TimeStamp enabled
CVE-2026-134748.7Memory leakHTTP/2 enabled

The path traversal flaw (CVE-2026-10816) deserves attention: it enables unauthenticated arbitrary file reads when management access is exposed. Organizations that haven't locked down management interfaces should assume they're at risk.

Patched Versions

Citrix has released fixes in the following builds:

  • NetScaler ADC/Gateway 14.1-72.61 and later
  • NetScaler ADC/Gateway 13.1-63.18 and later
  • NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later
  • NetScaler ADC 13.1-FIPS/NDcPP 13.1.37.272 and later

For CVE-2026-13474 (the HTTP/2 memory leak), administrators must also manually configure Http2SmallWndTimeout to 30 seconds on appliances not using HTTP Strict Profiles.

Why This Matters

NetScaler appliances sit at the network perimeter, handling authentication for thousands of users. When CitrixBleed hit in 2023, organizations that delayed patching became ransomware victims within weeks. The same actors who exploited that flaw are watching for history to repeat.

Huntress and other MDR providers have already added detection signatures for CVE-2026-8451 exploitation attempts. If you're running NetScaler in a SAML configuration, check your logs for unusual authentication patterns and apply patches immediately.

The Citrix security bulletin includes version-specific guidance. CISA hasn't added these to the KEV catalog yet, but given the active exploitation, that addition seems imminent.

Organizations that struggled with FortiGate patching earlier this year should treat this with equal urgency. Edge device vulnerabilities remain the fastest path into enterprise networks, and threat actors know it.

Related Articles