CitrixBleed Vulnerability Exploitation Within 24 Hours of Disclosure
ID: 6b2c1966-af7c-5b44-953e-4ad7cbb198e9
STIX ID: report--6b2c1966-af7c-5b44-953e-4ad7cbb198e9
Feed Name: GBHackers
**Executive summary:** Citrix NetScaler appliances configured as SAML Identity Providers are being actively exploited in the wild via CVE-2026-8451 (CVSS 8.8), a memory-disclosure flaw in the XML/SAML parser that allows unauthenticated attackers to retrieve sensitive memory (observable via anomalous NSC_TASS cookies); Lupovis telemetry links a targeted campaign (IP 146.70.139.154, python-requests/2.32.5) delivering base64‑encoded, whitespace‑padded SAMLRequest payloads against POST /saml/login—organizations should urgently patch affected versions or disable SAML IdP and search logs dating back to June 30, 2026 for related activity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
