A newly disclosed CitrixBleed-class vulnerability in Citrix NetScaler appliances came under active exploitation less than a day after public disclosure, with decoy infrastructure operator Lupovis confirming a coordinated scanning-and-exploitation campaign across three separate sensor deployments.
Within 24 hours of Citrix publishing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2026-8451, Lupovis’ decoy infrastructure detected a coordinated scanning campaign targeting NetScaler appliances configured as SAML Identity Providers.
How the Attack Unfolded
A threat actor operating from IP address 146.70.139.154 targeted three separate Lupovis sensor deployments in a five-hour window between June 30 and July 1, 2026, ultimately delivering a confirmed CVE-2026-8451 exploitation payload. Notably, this activity is not yet reflected in the CISA Known Exploited Vulnerabilities (KEV) catalog – echoing a pattern seen in prior CitrixBleed incidents where in-the-wild exploitation preceded formal KEV listing by weeks.
- Sensor A: probed twice, both returning HTTP 404
- Sensor B: probed once, returning HTTP 404
- Sensor C: returned HTTP 200, triggering immediate delivery of the full SAML exploit payload
The behavior mirrors what researchers observed during CitrixBleed 2 in 2025, where scanning and exploitation escalated rapidly once proof-of-concept detail became public, eventually prompting CISA to demand 24-hour federal patching.
Technical Details
CVE-2026-8451 is the latest entry in the CitrixBleed family of memory-disclosure flaws, a recurring class of memory management failures in NetScaler appliances first identified with CVE-2023-4966 and rediscovered across successive CVEs including CVE-2025-5777, CVE-2025-12101, and CVE-2026-3055.
The flaw resides in NetScaler’s custom XML parser for SAML AuthnRequest documents, which fails to properly terminate unquoted attribute values followed by a newline, causing an out-of-bounds read whose contents leak into the NSC_TASS cookie. The vulnerability is unauthenticated, requires NetScaler to be configured as a SAML Identity Provider, and affects NetScaler ADC/Gateway 14.1 before build 14.1-72.61 and 13.1 before build 13.1-63.18.
The captured payload, sent to the endpoint POST /saml/login, decoded to a bare <samlp:AuthnRequest> tag padded with 476 spaces and no closing attributes or tag – the exact overread pattern from watchTowr’s Detection Artifact Generator, designed to force the XML parser to read past its buffer boundary into adjacent memory.
Why This Pattern Keeps Repeating
CitrixBleed-style bugs are unauthenticated, session-token-exposing flaws that attract rapid mass exploitation once disclosed. The original CitrixBleed in 2023 saw hackers hit Boeing, ICBC, and DP World within weeks of disclosure. During CitrixBleed 2 in 2025, exploitation began around June 20 but KEV inclusion didn’t occur until July 10 – a three-week gap during which organizations relying solely on KEV-driven patch prioritization remained exposed.
The scanning infrastructure behind the new activity was traced to M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany, a hosting and VPN provider commonly linked to opportunistic scanning campaigns.
Indicators of Compromise
- 146.70.139.154 – IPv4 address used for CVE-2026-8451 scanning (M247 Europe SRL, AS9009, Germany)
- python-requests/2.32.5 – User-Agent string associated with automated scanning tooling
- POST /saml/login – exploit endpoint for CVE-2026-8451
- <samlp:AuthnRequest> followed by 400+ spaces – payload pattern for the overread variant
Recommendations
Organizations running NetScaler ADC or Gateway configured as a SAML Identity Provider should patch to 14.1-72.61 or 13.1-63.18 immediately rather than waiting for formal KEV listing. Given the unauthenticated nature of the flaw, security teams should also treat any exposed SAML IdP instances as compromised if logs show POST requests to /saml/login with anomalous payload lengths, and should rotate session tokens and cookies tied to NSC_TASS as a precaution. Centralized, multi-sensor telemetry – rather than isolated logging – proved essential in this case for spotting the same actor probing multiple targets in a single coordinated sweep.