Within a mere 24 hours of public disclosure, cybercriminals have begun exploiting a newly discovered vulnerability akin to ‘CitrixBleed’ in NetScaler ADC and Gateway products. This prompt exploitation has been reported by Lupovis, a cybersecurity company based in Scotland.
Details of the CitrixBleed Vulnerability
The security flaw, identified as CVE-2026-8451, carries a CVSS score of 8.8, indicating its high severity. Citrix announced the flaw on June 30, alongside patches to mitigate the risk. The vulnerability was detailed by watchTowr, a company specializing in attack surface management.
This defect is characterized by an out-of-bounds read issue affecting NetScaler appliances configured as SAML Identity Providers (IDPs), leading to potential memory disclosure. The flaw resides in NetScaler’s XML parser, which fails to appropriately terminate unquoted XML attribute values followed by a newline, allowing unintended memory read.
Exploitation and Threat Actor Activity
Notably, exploiting this vulnerability does not necessitate authentication, although it requires certain configurations of NetScaler as SAML IDP. Once watchTowr released details and detection tools, threat actors quickly began targeting exposed instances, as confirmed by Lupovis.
The initial attack activity was traced back to an IP in Frankfurt, Germany, using likely transient scanning infrastructure. During a five-hour interval, Lupovis sensors recorded multiple attacks, with a payload being delivered to those responding with a positive HTTP status.
Precautionary Measures and Recommendations
In response to these developments, organizations are urged to apply patches to their NetScaler appliances immediately. If patching is unfeasible, disabling the SAML IDP function is recommended. Additionally, monitoring logs for suspicious /saml/login traffic and inspecting NSC_TASS cookie values are essential steps to detect possible exploitation attempts.
With similar probes originating from a Koapu Cloud HK IP address, the urgency for protective measures cannot be overstated, as emphasized by Lupovis CEO Xavier Bellekens.
As cybersecurity threats evolve, staying informed and proactive is crucial. Regular updates and vigilant monitoring are key to safeguarding systems against such vulnerabilities.
