{"id":8633,"date":"2026-07-03T11:41:11","date_gmt":"2026-07-03T11:41:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8633"},"modified":"2026-07-03T11:41:11","modified_gmt":"2026-07-03T11:41:11","slug":"new-citrixbleed-like-netscaler-flaw-sees-exploit-attempts-in-the-wild","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8633","title":{"rendered":"New CitrixBleed-like NetScaler flaw sees exploit attempts in the wild"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Citrix NetScaler appliances have been a constant target for attackers in recent years, most recently through an information leak vulnerability dubbed CitrixBleed 3, the latest in a series of NetScaler memory overreads going back to 2023. This week, Citrix patched yet another CitrixBleed-like vulnerability and there are signs of in-the-wild exploitation already.<\/p>\n<p>The new memory overread vulnerability, tracked as CVE-2026-8451, was found by researchers from security firm watchTowr who published <a href=\"https:\/\/labs.watchtowr.com\/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451\/\" target=\"_blank\" rel=\"noopener\">a detailed write-up<\/a> showing how unauthenticated malformed requests can result in protected process memory data being leaked back in responses.<\/p>\n<p>The original <a href=\"https:\/\/www.csoonline.com\/article\/657085\/citrix-urges-immediate-patching-of-critically-vulnerable-product-lines.html\">CitrixBleed (CVE-2023-4966),<\/a> <a href=\"https:\/\/www.csoonline.com\/article\/4019802\/exploit-details-released-for-citrix-bleed-2-flaw-affecting-netscaler.html\">CitrixBleed 2 (CVE-2025\u20135777)<\/a>, and <a href=\"https:\/\/www.csoonline.com\/article\/4150224\/new-critical-citrix-netscaler-hole-of-similar-severity-to-citrixbleed2-says-expert.html\">CitrixBleed 3 (CVE-2026-3055)<\/a> vulnerabilities were all rated critical because they could be used to leak session tokens and other credentials stored in memory. The new CVE-2026-8451 can only be used to leak much smaller amounts of data which do not appear to include session IDs. For this reason, <a href=\"https:\/\/community.citrix.com\/techzone-blogs\/110_security-updates\/security-update-for-citrix-netscaler-and-netscaler-gateway-customers-r1570\/\" target=\"_blank\" rel=\"noopener\">Citrix gave it a CVSS score of 8.8<\/a> (high severity).<\/p>\n<p>For exploitation to be possible, the NetScaler appliance needs to be configured as a SAML Identity Provider, but this was also the case for CitrixBleed 3, which was patched in March and was subsequently exploited in the wild.<\/p>\n<p>So, this requirement doesn\u2019t mean attacks are unlikely or that this configuration is uncommon. In fact, less than 24 hours after the Citirix patch, security firm Lupovis <a href=\"https:\/\/www.lupovis.io\/lupovis-insights\/\" target=\"_blank\" rel=\"noopener\">reported seeing exploitation attempts hitting its honeypot sensors<\/a>.<\/p>\n<p>\u201cThree separate sensors were targeted within a five-hour window,\u201d the company said. \u201cThe actor received a 200 response on the third sensor and immediately delivered the exploit payload.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Smaller leak but still dangerous<\/h2>\n<p>Even though watchTowr was only able to leak bytes of data using this flaw, compared to kilobytes with previous CitrixBleed issues, the exposed information could still be useful to attackers.<\/p>\n<p>While the proof-of-concept did not reveal credentials or tokens, it\u2019s possible that repeated requests would eventually be able to leak something sensitive. At the very least, the leaks can expose process memory pointers that could allow attackers to more easily deliver payloads using memory write vulnerabilities such as buffer overflows.<\/p>\n<p>By overwriting data in a memory location that normally contains code the process executes, attackers could bypass anti-exploitation defenses like ASLR to take full control of the device.<\/p>\n<p>As part of this same patch cycle Citrix also addressed two high-severity memory overflow vulnerabilities, tracked as CVE-2026-8452 and CVE-2026-8655. Chaining exploits for different vulnerabilities is a common approach in modern attacks.<\/p>\n<p>The company also patched an unauthenticated arbitrary file read (CVE-2026-10816), another out-of-bounds memory overread (CVE-2026-10817) and a denial-of-service issue exploitable through HTTP\/2 requests (CVE-2026-13474). The latter is actually a NetScaler-specific instance of the <a href=\"https:\/\/www.csoonline.com\/article\/4181313\/http-2s-speed-abused-to-slow-webserver-performance-in-dos-attack.html\">HTTP\/2 Bomb vulnerability (CVE-2026-49975) patched recently in Apache Web Server<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">Mitigation<\/h2>\n<p>Citrix advises customers to upgrade their NetScaler ADC\u202fand NetScaler Gateway appliances to versions 14.1-72.61, 14.1-72.61 FIPS, 13.1-63.18, 13.1-FIPS and 13.1-NDcPP 13.1.37.272. The HTTP\/2 Bomb vulnerability also requires configuration changes in addition to the patches.<\/p>\n<p>These changes are described in <a href=\"https:\/\/support.citrix.com\/support-home\/kbsearch\/article?articleNumber=CTX696604\" target=\"_blank\" rel=\"noopener\">the Citrix advisory<\/a> along with methods to determine if appliances meet the configuration pre-conditions for exploitation for the other flaws. WatchTowr also published <a href=\"https:\/\/github.com\/watchtowrlabs\/watchTowr-vs-Netscaler-CVE-2026-8451\" target=\"_blank\" rel=\"noopener\">a Python detection script for the CVE-2026-8451 vulnerability<\/a> that allows organizations to quickly test if their appliances are susceptible to the exploit.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Citrix NetScaler appliances have been a constant target for attackers in recent years, most recently through an information leak vulnerability dubbed CitrixBleed 3, the latest in a series of NetScaler memory overreads going back to 2023. This week, Citrix patched yet another CitrixBleed-like vulnerability and there are signs of in-the-wild exploitation already. The new memory [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8634,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8633","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8633"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8633"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8633\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8634"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}