CitrixBleed Came Back a Third Time. 476 Spaces and a Half-Written XML Tag Is All It Takes to Read NetScaler's Memory.
- Patrick Duggan
- 1 hour ago
- 4 min read
Here is the entire exploit. You send NetScaler a login request to the SAML endpoint. Inside it, one XML tag — the opening of a SAML authentication request — with no closing bracket, no attributes, nothing after it but 476 blank spaces. That's it. The appliance's parser starts reading the tag, never finds a terminator, and keeps reading straight past the end of its buffer into whatever memory sits next door. Then it hands you those adjacent bytes back, tucked inside a cookie called NSC_TASS. Session tokens, pointers, whatever was in the neighborhood. This is CVE-2026-8451, and it is the third time in three years Citrix has bled memory to an unauthenticated stranger.
We have not written about this one until now, so let me be honest about what that means: we were not first here, and I'm not going to pretend otherwise. watchTowr Labs named the mechanism and shipped a detection artifact generator; Lupovis caught the live payload. What we can do is tell you why this keeps happening to the same box, put a number on it, and hand you the attacker's address.
The mechanism is almost insultingly small. NetScaler's custom XML parser has a rule for unquoted attribute values: stop reading when you hit a null byte, a closing angle bracket, or a matching quote. Whitespace is not on that list. Newlines are not on that list. So an attacker sends an opening tag with an unquoted value and no terminator, and the parser reads and reads and reads. The bug isn't exotic. It's a missing case in a list of stop-characters, the kind of thing that would fail a first-year compilers assignment, sitting in the pre-authentication front door of one of the most-attacked appliances on the internet.
The affected versions are NetScaler ADC and Gateway 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, and only when the box is configured as a SAML identity provider. Citrix published advisory CTX696604. The CVSS is 8.8. CISA has not formally KEV'd this exact CVE as of this writing, but the in-the-wild payloads are already flying, so treat the catalog as a lagging indicator, not a permission slip.
Now the part only our data tells you. We keep a running measure of whether exploitation risk sticks to proven-soft products or scatters to new ones. Citrix NetScaler is the poster child for stickiness. Pull the Known Exploited Vulnerabilities record for Citrix and you get twenty-two entries — and NetScaler ADC and Gateway is on it again and again and again: CVE-2019-19781, CVE-2023-3519, the original CitrixBleed CVE-2023-4966 in 2023, CVE-2025-5777 and CVE-2025-6543 in the summer of 2025, CVE-2026-3055 this past March. Same appliance, same pre-auth attack surface, same memory-disclosure and RCE pattern, year after year. When we tell customers to prioritize patching by KEV concentration, this is the concentration we mean. A NetScaler on the edge configured for SAML is not a device that might someday be a target. It is a device that has been the target continuously since 2019, and CVE-2026-8451 is simply the current entry in a standing appointment.
The exploitation window we can see: a threat actor operating from 146.70.139.154 hit three separate sensor deployments in a five-hour stretch spanning June 30 into July 1, ending with a confirmed CVE-2026-8451 payload. That address lives in a European hosting range of exactly the kind that gets rented by the hour for this work. It was not in our corpus before today. It is now, and it belongs in yours: if you run NetScaler as a SAML IdP, block 146.70.139.154 at the edge and go read your access logs for POST requests to the SAML login path carrying a bare, space-padded authentication-request tag. That signature — an opening tag followed by a wall of whitespace and nothing else — is the overread trying to happen.
What actually protects you is boring and immediate: patch to 14.1-72.61 or 13.1-63.18, and if you can't patch in the next few hours, take the SAML IdP configuration offline until you can. This is a pre-authentication bug. There is no credential to steal first, no phishing email to click. The attacker just asks, and a version behind, the appliance answers with its own memory.
The thing I keep coming back to is the shape of it. Twenty years of security spending, threat feeds, machine-learning detection, and the live exploit against a billion-dollar enterprise gateway is 476 spaces after a half-finished tag. The sophistication was never on the attacker's side. It was in the appliance's willingness to keep reading. CitrixBleed to infinity, because the same door keeps getting built the same way, and the people who exploit it know exactly where it lives.
Sources: watchTowr Labs, CyberScoop, SecurityWeek, Citrix advisory CTX696604 (July 1–2, 2026). Our vendor-risk and exploitation-stickiness data is live via the jeevesus MCP tools and at analytics.dugganusa.com — pull the Citrix KEV record yourself. It's the same twenty-two I counted.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
