Citrix released patches for six vulnerabilities in NetScaler ADC, NetScaler Gateway, and related FIPS/NDcPP variants, including CVE-2026-8451, a high-severity CitrixBleed-style information disclosure flaw, and an HTTP/2 Bomb denial-of-service issue. Citrix said the bugs affect deployments under specific configuration conditions, but urged customers to assess exposure and update affected self-managed NetScaler and Citrix Secure Private Access Hybrid instances. The most urgent issue, CVE-2026-8451, is an out-of-bounds read in NetScaler’s XML parser that can leak restricted memory in the NSC_TASS cookie when appliances are configured as SAML Identity Providers.
Security researchers reported that CVE-2026-8451 was exploited in the wild less than 24 hours after disclosure. Lupovis observed threat actors probing exposed NetScaler systems and sending exploit payloads immediately after receiving valid 200 OK responses, including a malformed <samlp:AuthnRequest> padded with hundreds of spaces that matched watchTowr’s published detection artefact pattern; one campaign was linked to 146.70.139[.]154. Defenders were advised to patch immediately, disable SAML IDP if patching was not possible, and review /saml/login traffic and anomalous NSC_TASS cookie values for signs of compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-07-03, HKCERT published a security bulletin covering multiple vulnerabilities in Citrix products. The advisory represents an additional official CERT warning following Citrix's June 30 disclosure.
Less than 24 hours after public disclosure, Lupovis observed at least two threat actors probing exposed NetScaler appliances and sending exploit payloads after receiving valid HTTP 200 responses. The activity targeted deployments configured as SAML identity providers and used payloads matching the watchTowr artefact pattern.
On July 2, 2026, the Canadian Centre for Cyber Security published Alert AL26-016 بشأن CVE-2026-8451 affecting customer-managed Citrix NetScaler appliances. The alert urged organizations to patch immediately, noted Citrix-managed cloud services had already been updated, and advised following Citrix compromise guidance if exploitation is suspected.
On June 30, 2026, watchTowr published technical details for CVE-2026-8451 along with a detection artefact generator. The published pattern was later seen reflected in observed exploit payloads targeting exposed NetScaler instances.
On June 30, 2026, Citrix disclosed six vulnerabilities affecting NetScaler ADC, NetScaler Gateway, and related variants, including CVE-2026-8451, and released security updates for affected versions. The issues included the new HTTP/2 Bomb denial-of-service flaw and a CitrixBleed-style information disclosure bug with configuration-specific preconditions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
thecyberthrone.in
Open sourcehkcert.org
Open sourcecyber.gc.ca
Open sourcecybersecuritynews.com
Open sourcesecurityweek.com
Open sourcesecurityweek.com
Open sourcemalware.news
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.