Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit CitrixBleed Flaw Within Hours of Disclosure

Hackers Exploit CitrixBleed Flaw Within Hours of Disclosure

Posted on July 2, 2026 By CWS

A newly revealed vulnerability known as CitrixBleed in Citrix NetScaler devices was actively exploited by hackers less than 24 hours after its public disclosure. This rapid escalation was confirmed by Lupovis, which reported a coordinated scanning and exploitation campaign across multiple sensor deployments.

Rapid Exploitation of CitrixBleed

Shortly after Citrix issued advisory CTX696604 and watchTowr Labs released a Detection Artifact Generator for CVE-2026-8451, Lupovis observed a targeted scanning effort. The campaign specifically focused on NetScaler appliances set as SAML Identity Providers, indicating a well-coordinated attack strategy.

On the night of June 30 to July 1, 2026, a threat actor from IP address 146.70.139[.]154 executed attacks across three separate Lupovis sensors within a five-hour timeframe. This activity culminated in the deployment of a confirmed exploitation payload for CVE-2026-8451.

Historical Context and Vulnerability Details

The CitrixBleed vulnerability family, characterized by memory disclosure flaws, has seen repeated occurrences in various NetScaler appliance versions. This issue was initially identified with CVE-2023-4966 and has persisted through several iterations, including CVE-2025-5777 and CVE-2026-3055.

The latest vulnerability is found in NetScaler’s XML parser for SAML AuthnRequest documents. It fails to properly terminate unquoted attribute values, leading to out-of-bounds memory reads that leak into the NSC_TASS cookie. This flaw is present in NetScaler ADC/Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, requiring the device to be configured as a SAML IdP.

Ongoing Threat and Response Measures

The scanning activity traced back to IP address 146.70.139[.]154, hosted by M247 Europe SRL in Frankfurt, Germany, a provider often associated with opportunistic scanning. The threat actor’s probes consistently returned 404 errors until a successful 200 response from one sensor enabled the full CVE-2026-8451 SAML payload delivery.

This attack pattern mirrors past incidents, such as CitrixBleed 2 in 2025, where rapid exploitation followed the public availability of proof-of-concept details, prompting urgent patching directives from CISA.

The decoded payload, sent to the POST /saml/login endpoint, consisted of a basic tag padded with spaces, matching the overread pattern from watchTowr’s Detection Artifact Generator. This pattern forces the XML parser to access memory beyond its buffer, underscoring the serious nature of these vulnerabilities.

The continued exploitation of CitrixBleed vulnerabilities highlights the pressing need for organizations to promptly apply security patches and closely monitor their systems for suspicious activities.

Cyber Security News Tags:CISA, CitrixBleed, CVE, CVE-2026-8451, Cybersecurity, Exploitation, Hacking, Lupovis, M247 Europe SRL, memory disclosure, NetScaler, SAML, SAML AuthnRequest, Vulnerability, XML parser

Post navigation

Previous Post: AI Browsers Vulnerable to Credential Theft Exploit
Next Post: CISA Alerts on SharePoint Security Flaw Exploitation

Related Posts

4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign 4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign Cyber Security News
Major Security Breach at Loblaw: Customer Data Compromised Major Security Breach at Loblaw: Customer Data Compromised Cyber Security News
Fortinet Alerts on Credential Attack Targeting FortiGate Fortinet Alerts on Credential Attack Targeting FortiGate Cyber Security News
North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data Cyber Security News
28,000+ Citrix Servers Exposed to Active 0-Day RCE Vulnerability Exploited in the Wild 28,000+ Citrix Servers Exposed to Active 0-Day RCE Vulnerability Exploited in the Wild Cyber Security News
Silver Fox Threat Group Launches New Malware Campaign Silver Fox Threat Group Launches New Malware Campaign Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark