A newly revealed vulnerability known as CitrixBleed in Citrix NetScaler devices was actively exploited by hackers less than 24 hours after its public disclosure. This rapid escalation was confirmed by Lupovis, which reported a coordinated scanning and exploitation campaign across multiple sensor deployments.
Rapid Exploitation of CitrixBleed
Shortly after Citrix issued advisory CTX696604 and watchTowr Labs released a Detection Artifact Generator for CVE-2026-8451, Lupovis observed a targeted scanning effort. The campaign specifically focused on NetScaler appliances set as SAML Identity Providers, indicating a well-coordinated attack strategy.
On the night of June 30 to July 1, 2026, a threat actor from IP address 146.70.139[.]154 executed attacks across three separate Lupovis sensors within a five-hour timeframe. This activity culminated in the deployment of a confirmed exploitation payload for CVE-2026-8451.
Historical Context and Vulnerability Details
The CitrixBleed vulnerability family, characterized by memory disclosure flaws, has seen repeated occurrences in various NetScaler appliance versions. This issue was initially identified with CVE-2023-4966 and has persisted through several iterations, including CVE-2025-5777 and CVE-2026-3055.
The latest vulnerability is found in NetScaler’s XML parser for SAML AuthnRequest documents. It fails to properly terminate unquoted attribute values, leading to out-of-bounds memory reads that leak into the NSC_TASS cookie. This flaw is present in NetScaler ADC/Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, requiring the device to be configured as a SAML IdP.
Ongoing Threat and Response Measures
The scanning activity traced back to IP address 146.70.139[.]154, hosted by M247 Europe SRL in Frankfurt, Germany, a provider often associated with opportunistic scanning. The threat actor’s probes consistently returned 404 errors until a successful 200 response from one sensor enabled the full CVE-2026-8451 SAML payload delivery.
This attack pattern mirrors past incidents, such as CitrixBleed 2 in 2025, where rapid exploitation followed the public availability of proof-of-concept details, prompting urgent patching directives from CISA.
The decoded payload, sent to the POST /saml/login endpoint, consisted of a basic tag padded with spaces, matching the overread pattern from watchTowr’s Detection Artifact Generator. This pattern forces the XML parser to access memory beyond its buffer, underscoring the serious nature of these vulnerabilities.
The continued exploitation of CitrixBleed vulnerabilities highlights the pressing need for organizations to promptly apply security patches and closely monitor their systems for suspicious activities.
