A New Citrix NetScaler Flaw Is Already Being Exploited, And It Looks Familiar

A security hole in widely used Citrix network equipment is leaking corporate secrets from memory. Attackers moved within 24 hours of the patch dropping.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Citrix disclosed CVE-2026-8451, a high-severity flaw in NetScaler ADC and NetScaler Gateway devices, on 30 June 2026.
  • The flaw received a CVSS score of 8.8 out of 10, placing it in the high-severity band.
  • Security firm WatchTowr discovered the bug in March 2026 and published a working proof-of-concept exploit the same day Citrix released its patch.
  • Cybersecurity vendor Lupovis confirmed active exploitation attempts began less than 24 hours after that disclosure.
  • Affected organisations should upgrade to NetScaler ADC and Gateway version 14.1-72.61 or 13.1-63.18 immediately.

Citrix, the company whose networking products sit at the front door of thousands of corporate offices, hospitals, and government agencies, patched a serious new flaw on 30 June 2026. The vulnerability, tracked as CVE-2026-8451, affects two products: NetScaler ADC (Application Delivery Controller, a device that manages and secures network traffic flowing into an organisation) and NetScaler Gateway (a remote-access product that lets employees log in from outside the office).

The specific problem is a "memory overread." Think of computer memory as a long row of filing cabinets. The flaw lets an outsider send a specially crafted request that tricks the device into opening cabinets it was never supposed to touch, spilling whatever sensitive data happens to be stored nearby. That could include login credentials, session tokens, and other information that lets attackers move deeper inside a network.

Why should ordinary people care about this?

If your employer, hospital, or bank uses Citrix NetScaler equipment to handle logins, this flaw could expose credentials that let criminals walk straight into internal systems. Readers who work for large organisations and log in through a company portal should watch for any unexpected password-reset requests or unusual account activity starting from 30 June.

Experts immediately compared CVE-2026-8451 to "CitrixBleed" (CVE-2023-4966), a similar memory-leaking flaw from late 2023 that attackers used to break into dozens of major organisations worldwide. The family resemblance is not accidental. Both flaws live in the same type of equipment, both bleed data from memory, and both attracted attackers almost immediately after disclosure.

The speed of exploitation this time was striking. Researchers at WatchTowr Labs published full technical details, including a ready-to-run proof-of-concept exploit, on the same day Citrix released the patch. Within 24 hours, Lupovis, a UK cybersecurity firm that runs decoy systems to catch attackers in the act, spotted a single IP address sending a targeted exploitation payload against NetScaler devices. That address, 146.70.139[.]154, is hosted on M247, a hosting provider Lupovis says appears frequently in broad scanning operations.

Xavier Bellekens, co-founder and CEO of Lupovis, wrote in a blog post that this was not random probing. The payload matched WatchTowr's specific technique, flooding NetScaler's XML parser (the component that reads structured login data) with whitespace characters to force it to read past its intended memory boundary.

Cloud security firm Aviatrix warned, as first reported by Dark Reading, that a successful attack could give criminals an initial foothold, then let them escalate privileges and move sideways through the victim's network to steal more data.

Citrix did not respond to requests for comment before publication.

Organisations running affected devices should upgrade to version 14.1-72.61 or 13.1-63.18 without delay. If patching is not immediately possible, disabling the SAML IDP configuration (the single-sign-on component the flaw targets) reduces exposure. Lupovis also recommends reviewing login records from 30 June onward for anything unusual.

© 2026 Threat Vectr