New CitrixBleed-like NetScaler Flaw Sees Exploit Attempts in the Wild
New CitrixBleed-like NetScaler Flaw Sees Exploit Attempts in the Wild 🚨
Citrix NetScaler has received patches for a new memory leak vulnerability similar to CitrixBleed, along with several other critical issues. This week, Citrix patched a vulnerability tracked as CVE-2026-8451, which has already shown signs of exploitation in the wild. Researchers from the security firm watchTowr discovered that unauthenticated malformed requests could leak protected process memory data in responses.
The original CitrixBleed vulnerabilities were rated critical due to their potential to leak session tokens and other sensitive credentials. Although the new CVE-2026-8451 can only leak smaller amounts of data, it still poses a significant risk. Citrix has assigned it a CVSS score of 8.8, indicating high severity.
For exploitation to occur, the NetScaler appliance must be configured as a SAML Identity Provider. This configuration was also necessary for CitrixBleed 3, which was patched earlier this year. Security firm Lupovis reported seeing exploitation attempts on its honeypot sensors less than 24 hours after the patch was released. They noted that three separate sensors were targeted within a five-hour window, with the attacker successfully delivering the exploit payload on the third sensor.
While the proof-of-concept for this vulnerability did not reveal any credentials or tokens, repeated requests could potentially leak sensitive information. The leaks may expose process memory pointers, allowing attackers to bypass defenses and take control of the device.
In addition to CVE-2026-8451, Citrix also addressed two high-severity memory overflow vulnerabilities (CVE-2026-8452 and CVE-2026-8655), an unauthenticated arbitrary file read (CVE-2026-10816), and a denial-of-service issue (CVE-2026-13474) that can be exploited through HTTP/2 requests.
Citrix advises customers to upgrade their NetScaler ADC and NetScaler Gateway appliances to the latest versions to mitigate these vulnerabilities. For more details on the configuration changes required, please refer to the Citrix advisory.
For further reading, check out the full article here: Read full article