Citrix NetScaler Hit by CitrixBleed-Style Flaw—Exploited Within Hours
CVE-2026-8451 and five other NetScaler vulnerabilities disclosed this week, with attackers already targeting SAML-configured appliances. Patch now.
Citrix released patches this week for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a pre-authentication memory overread that security researchers are already comparing to the infamous CitrixBleed flaw from 2023. Attackers began probing vulnerable systems within 24 hours of disclosure.
The most serious issue, CVE-2026-8451, carries a CVSS score of 8.8 and affects NetScaler appliances configured as SAML Identity Providers. Researchers at watchTowr drew explicit parallels to CVE-2023-4966 (CitrixBleed), which ransomware groups including LockBit exploited extensively throughout 2023 and 2024.
What Makes This Dangerous
The flaw stems from insufficient input validation that allows an out-of-bounds memory read when the appliance processes SAML authentication requests. An unauthenticated attacker can trigger the condition remotely, potentially leaking sensitive session data or authentication tokens—the same attack pattern that made CitrixBleed so devastating.
Lupovis detected a coordinated scanning campaign targeting SAML-configured NetScaler appliances within 24 hours of the advisory publication. The threat actor delivered confirmed CVE-2026-8451 exploitation payloads after validating targets, suggesting this isn't opportunistic scanning.
All Six Vulnerabilities
| CVE | CVSS | Type | Configuration Required |
|---|---|---|---|
| CVE-2026-8451 | 8.8 | Memory overread | SAML IDP |
| CVE-2026-8452 | 8.8 | Memory overflow | Gateway or AAA virtual server |
| CVE-2026-8655 | 8.8 | Memory overflow | Oracle LB, DNS proxy, or DNS recursive resolver |
| CVE-2026-10816 | 7.7 | Path traversal | NSIP/SNIP with management access |
| CVE-2026-10817 | 6.9 | Memory overread | TCP TimeStamp enabled |
| CVE-2026-13474 | 8.7 | Memory leak | HTTP/2 enabled |
The path traversal flaw (CVE-2026-10816) deserves attention: it enables unauthenticated arbitrary file reads when management access is exposed. Organizations that haven't locked down management interfaces should assume they're at risk.
Patched Versions
Citrix has released fixes in the following builds:
- NetScaler ADC/Gateway 14.1-72.61 and later
- NetScaler ADC/Gateway 13.1-63.18 and later
- NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later
- NetScaler ADC 13.1-FIPS/NDcPP 13.1.37.272 and later
For CVE-2026-13474 (the HTTP/2 memory leak), administrators must also manually configure Http2SmallWndTimeout to 30 seconds on appliances not using HTTP Strict Profiles.
Why This Matters
NetScaler appliances sit at the network perimeter, handling authentication for thousands of users. When CitrixBleed hit in 2023, organizations that delayed patching became ransomware victims within weeks. The same actors who exploited that flaw are watching for history to repeat.
Huntress and other MDR providers have already added detection signatures for CVE-2026-8451 exploitation attempts. If you're running NetScaler in a SAML configuration, check your logs for unusual authentication patterns and apply patches immediately.
The Citrix security bulletin includes version-specific guidance. CISA hasn't added these to the KEV catalog yet, but given the active exploitation, that addition seems imminent.
Organizations that struggled with FortiGate patching earlier this year should treat this with equal urgency. Edge device vulnerabilities remain the fastest path into enterprise networks, and threat actors know it.
Related Articles
Citrix NetScaler CVE-2026-3055 Under Mass Exploitation
Fortinet confirms large-scale attacks against Citrix NetScaler ADC and Gateway appliances via CVE-2026-3055 SAML IDP flaw. CVSS 9.8—patch immediately.
Jun 3, 2026CISA Orders Citrix NetScaler Patches by April 2 After KEV Addition
CVE-2026-3055 now actively exploited. CISA adds the CVSS 9.3 memory leak to KEV catalog, giving federal agencies until April 2 to patch SAML IdP configurations.
Mar 31, 2026Citrix NetScaler Memory Leak Exposes SAML SSO Secrets
CVE-2026-3055 (CVSS 9.3) lets unauthenticated attackers read sensitive data from NetScaler memory. Affects appliances configured as SAML Identity Providers—patch now.
Mar 24, 2026CISA Confirms Ubiquiti UniFi OS Flaws Now Exploited in Attacks
CISA adds three maximum-severity Ubiquiti UniFi OS vulnerabilities to KEV catalog after confirming active exploitation. Federal agencies have until June 26 to patch under BOD 26-04.
Jun 24, 2026