Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

0
Medium
Exploit
Published: 07/02/2026 (07/02/2026, 15:04:22 UTC)
Source: SecurityWeek

Description

Hackers are targeting NetScaler appliances using public PoC code to retrieve arbitrary memory content in the HTTP response. The post New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure appeared first on SecurityWeek .

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 15:06:32 UTC

Technical Analysis

CVE-2026-8451 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers. The issue arises from the XML parser not terminating unquoted XML attribute values when followed by a newline character, leading to reading beyond the intended buffer. This results in memory contents being disclosed in the NSC_TASS cookie within HTTP responses. The vulnerability requires no authentication for exploitation. Public proof-of-concept code was released on June 30, 2026, and attackers began exploiting the flaw within 24 hours, scanning for exposed NetScaler instances and delivering payloads that trigger the memory disclosure. The vulnerability has a CVSS score of 8.8. Citrix released patches concurrently with the disclosure. Detection can be performed by inspecting /saml/login traffic and NSC_TASS cookie values.

Potential Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve arbitrary memory content from affected NetScaler appliances configured as SAML IDP. This memory disclosure can expose sensitive information, potentially leading to further compromise or data leakage. The vulnerability affects the confidentiality of data processed by the appliance. Exploitation has been observed in the wild shortly after public disclosure.

Mitigation Recommendations

Citrix has released official patches for this vulnerability; organizations should apply these patches immediately. If patching is not possible, disabling the SAML IDP configuration on NetScaler appliances is recommended to mitigate risk. Additionally, organizations should monitor logs for /saml/login traffic, inspect request values, and check NSC_TASS cookie values for signs of exploitation. These steps align with vendor guidance and observed attack patterns.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/","fetched":true,"fetchedAt":"2026-07-02T15:06:24.742Z","wordCount":1051}

Threat ID: 6a467e7027e9c797198af9ba

Added to database: 07/02/2026, 15:06:24 UTC

Last enriched: 07/02/2026, 15:06:32 UTC

Last updated: 07/03/2026, 01:18:26 UTC

Views: 21

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses