logo

CitrixBleed Vulnerability Exploitation Within 24 Hours of Disclosure

ID: 6b2c1966-af7c-5b44-953e-4ad7cbb198e9

STIX ID: report--6b2c1966-af7c-5b44-953e-4ad7cbb198e9

Feed Name: GBHackers

Threat Score
78/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Divya

...
...

**Executive summary:** Citrix NetScaler appliances configured as SAML Identity Providers are being actively exploited in the wild via CVE-2026-8451 (CVSS 8.8), a memory-disclosure flaw in the XML/SAML parser that allows unauthenticated attackers to retrieve sensitive memory (observable via anomalous NSC_TASS cookies); Lupovis telemetry links a targeted campaign (IP 146.70.139.154, python-requests/2.32.5) delivering base64‑encoded, whitespace‑padded SAMLRequest payloads against POST /saml/login—organizations should urgently patch affected versions or disable SAML IdP and search logs dating back to June 30, 2026 for related activity.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.