Security advisories

Recently Disclosed NetScaler Vulnerability Exploited (CVE-2026-8451)

July 3, 2026

4 MINS READ

THE THREAT

On July 1st, 2026, security researchers reported active exploitation of the Citrix NetScaler vulnerability CVE-2026-8451, having observed a threat actor successfully deliver the exploit payload against decoy infrastructure within 24 hours of public disclosure. eSentire's Threat Response Unit (TRU) independently identified exploitation attempts targeting the same vulnerability. The vulnerability was disclosed by Citrix on June 30th, alongside patches, with technical analysis published the same day by watchTowr Labs. CVE-2026-8451 (CVSS: 8.8) is a memory overread vulnerability in NetScaler's SAML XML parser that allows an unauthenticated attacker to disclose arbitrary process memory, including tokens and credentials, on appliances configured as a SAML Identity Provider (IdP).

In practical terms, an attacker can send specially crafted login requests to the device without needing a username or password and trick it into leaking small fragments of its internal memory back in the response. That leaked memory can contain session data or other sensitive information that helps an attacker map out the system, and in some cases, can crash the appliance outright.

As active exploitation attempts have been identified less than 24 hours after public disclosure it is critical that organizations apply the relevant security patches immediately.

What we’re doing about it

What you should do about it

Additional information

The vulnerability exists in the processing of SAML authentication requests. By sending specially crafted malformed XML data to a vulnerable NetScaler appliance configured as a SAML IdP, an attacker can trigger an out-of-bounds memory read. The appliance may then return portions of memory through the NSC_TASS cookie contained within the HTTP response.

WatchTowr researchers noted that the flaw shares the same root cause category as the earlier NetScaler vulnerability CVE-2026-3055, which was also associated with memory disclosure. Although the newer vulnerability generally leaks smaller amounts of data, researchers emphasized that recurring memory management weaknesses within NetScaler appliances remain a broader security concern.

Successful exploitation requires that the targeted appliance be configured as a SAML Identity Provider; however, no authentication is required to trigger the vulnerable functionality. This significantly lowers the barrier to exploitation for internet-facing systems.

Security firm Lupovis reported observing exploitation attempts almost immediately after public disclosure of the vulnerability. Within hours of technical details becoming available, at least one threat actor began probing exposed NetScaler appliances for vulnerable endpoints. Researchers noted that the payload structure closely matched the detection artifact generator released by watchTowr, indicating that attackers were directly leveraging publicly available research to identify vulnerable targets.

In cases observed by eSentire, exploitation was unsuccessful, and as such, no post-compromise activity was observed. 

Given the immediate weaponization of public PoC code and the trivial nature of exploitation, TRU assesses it is highly probable that opportunistic scanning and exploitation attempts will continue to increase in the near term.

Indicators of Compromise (IOCs)
Attacker IP Address
1[.]219[.]44[.]137
103[.]125[.]218[.]39
130[.]94[.]18[.]161
130[.]94[.]18[.]46
134[.]122[.]43[.]198
137[.]184[.]184[.]209
138[.]68[.]51[.]132
143[.]198[.]157[.]102
143[.]198[.]59[.]216
143[.]198[.]63[.]154
143[.]198[.]66[.]189
144[.]126[.]210[.]108
162[.]243[.]242[.]176
164[.]92[.]83[.]110
165[.]227[.]241[.]83
165[.]232[.]135[.]168
168[.]144[.]176[.]24
172[.]105[.]168[.]152
172[.]234[.]17[.]170
172[.]234[.]206[.]73
172[.]239[.]117[.]185
188[.]214[.]125[.]167
194[.]165[.]16[.]11
206[.]189[.]199[.]39
38[.]54[.]107[.]204
38[.]60[.]206[.]58
5[.]189[.]191[.]124
5[.]9[.]226[.]9
50[.]116[.]58[.]253
64[.]226[.]81[.]73
64[.]23[.]138[.]204
66[.]235[.]114[.]68
66[.]235[.]114[.]86
66[.]42[.]83[.]182

References:

[1] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604 
[2] https://www.lupovis.io/lupovis-insights/ 
[3] https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/ 
[4] https://github.com/watchtowrlabs/watchTowr-vs-Netscaler-CVE-2026-8451 
[5] https://www.cyber.gc.ca/en/alerts-advisories/al26-016-vulnerability-impacting-citrix-netscaler-cve-2026-8451

Back to Security Advisories

Speak With A Security Expert Now

TALK TO AN EXPERT
View Most Recent Advisories