Threat actors began exploiting CVE-2026-8451 in NetScaler ADC and NetScaler Gateway appliances less than 24 hours after Citrix disclosed and patched the issue. The bug can leak memory from SAML IDP-configured systems without authentication, and early probing has already been linked to scanning from Frankfurt and Koapu Cloud HK infrastructure. #CitrixBleed #CVE-2026-8451 #NetScaler #Citrix
Keypoints
- Attackers exploited CVE-2026-8451 within 24 hours of public disclosure.
- The flaw affects NetScaler ADC and NetScaler Gateway devices configured as SAML IDP.
- The issue is an out-of-bounds read in NetScalerβs XML parser.
- Successful exploitation can leak memory into the NSC_TASS cookie without authentication.
- Lupovis observed multiple probing attempts and urged immediate patching or SAML IDP disablement.