cognitive cybersecurity intelligence

News and Analysis

Search

CitrixBleed Vulnerability Exploited by Hackers Within 24 Hours of Public Disclosure

CitrixBleed Vulnerability Exploited by Hackers Within 24 Hours of Public Disclosure

A newly disclosed CitrixBleed-class vulnerability in Citrix NetScaler appliances came under active exploitation less than a day after public disclosure, with decoy infrastructure operator Lupovis confirming a coordinated scanning-and-exploitation campaign across three separate sensor deployments.

Within 24 hours of Citrix publishing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2026-8451, Lupovis decoy infrastructure detected a coordinated scanning campaign targeting NetScaler appliances configured as SAML Identity Providers.

A threat actor operating from IP 146.70.139[.]154 targeted three separate Lupovis sensor deployments in a five-hour window on 30 June to 1 July 2026, ultimately delivering a confirmed CVE-2026-8451 exploitation payload.

Notably, this activity is not yet reflected in the CISA Known Exploited Vulnerabilities (KEV) catalog, echoing a pattern seen in prior CitrixBleed incidents where in-the-wild exploitation preceded formal KEV listing by weeks.

CitrixBleed Vulnerability Exploited

CVE-2026-8451 is the latest entry in the CitrixBleed family of memory-disclosure flaws, a recurring class of memory management failures in NetScaler appliances first identified with CVE-2023-4966 and rediscovered across successive CVEs including CVE-2025-5777, CVE-2025-12101, and CVE-2026-3055.

This history shows a consistent pattern: CitrixBleed-style bugs are unauthenticated, session-token-exposing flaws that attract rapid mass exploitation once disclosed, as seen with the original CitrixBleed in 2023 when hackers hit Boeing, ICBC, and DP World within weeks of disclosure.

The new flaw resides in NetScaler’s custom XML parser for SAML AuthnRequest documents, which fails to terminate unquoted attribute values followed by a newline, causing an out-of-bounds read whose contents leak into the NSC_TASS cookie.

It is unauthenticated, requires NetScaler configured as a SAML IdP, and affects NetScaler ADC/Gateway 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18.

The scanning activity was traced to 146.70.139[.]154, hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany, a hosting/VPN provider commonly linked to opportunistic scanning.

The actor probed Sensor A twice (both returning 404), then Sensor B (404), before Sensor C returned a 200 response, at which point the full CVE-2026-8451 SAML payload was delivered immediately. This tooling behavior mirrors what researchers observed during CitrixBleed 2 in 2025, where scanning and exploitation escalated rapidly once proof-of-concept detail became public, prompting CISA to demand 24-hour federal patching.

The captured payload, sent to POST /saml/login, decoded to a bare <samlp:AuthnRequest tag padded with 476 spaces and no closing attributes or tag — the exact overread pattern from watchTowr’s Detection Artifact Generator, designed to force the XML parser to read past its buffer into adjacent memory.

Because CVE-2026-8451 exploitation predates its KEV listing, organizations relying solely on KEV-driven patch prioritization were exposed during this window to a repeat of the CitrixBleed 2 timeline, where exploitation began around June 20, 2025, but KEV inclusion didn’t occur until July 10.

The same actor hit three sensors in one sweep, a pattern only visible through centralized, multi-sensor telemetry rather than isolated honeypots.

Sensors returning 404 logged only probes, while the sensor returning 200 captured the full exploit chain, showing attacker tooling validates targets before committing payloads.

Indicators of Compromise

IndicatorTypeContext146.70.139[.]154IPv4CVE-2026-8451 scanning, M247 Europe SRL exit node (AS9009), Germanypython-requests/2.32.5User-AgentAutomated scanning toolingPOST /saml/loginEndpointCVE-2026-8451 exploit endpoint<samlp:AuthnRequest + 400+ spacesPayload patternCVE-2026-8451 overread variant

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.

Download Now

The post CitrixBleed Vulnerability Exploited by Hackers Within 24 Hours of Public Disclosure appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts