CVE-2026-8451: Citrix NetScaler SAML Memory Overread

noktec1 pts0 comments

CVE-2026-8451: Citrix NetScaler SAML Memory Overread | Lupovis<br>Back<br>CVE-2026-8451: Citrix NetScaler SAML Memory Overread

1 July 2026 | by Xavier Bellekens

SHARE POSITION

Or copy link<br>Copied!

Active Campaign Detected Across the Sensor Fleet<br>Published: 01 July 2026<br>Severity: High (CVSS 8.8)<br>CVE: CVE-2026-8451<br>StatusActive exploitation observed — not yet listed in CISA KEV Lupovis DetectionPre-KEV detection — within 24 hours of public disclosure Summary<br>Within 24 hours of Citrix publishing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2026-8451, Lupovis decoy infrastructure detected a coordinated scanning campaign targeting Citrix NetScaler appliances configured as SAML Identity Providers across the sensor fleet.<br>A single threat actor (146.70.139.154) swept across three separate Lupovis sensor deployments in a five-hour window, delivering a confirmed CVE-2026-8451 exploitation payload. This activity is not yet reflected in the CISA KEV catalogue.<br>Vulnerability Background<br>CVE-2026-8451 is the latest in the CitrixBleed class of memory disclosure vulnerabilities – a recurring pattern of memory management failures in Citrix NetScaler appliances first identified in CVE-2023-4966 and subsequently rediscovered across multiple successive CVEs (CVE-2025-5777, CVE-2025-12101, CVE-2026-3055).<br>The vulnerability exists in NetScaler’s custom XML parser used to handle SAML AuthnRequest documents. The parser fails to correctly terminate unquoted XML attribute values when followed by a newline character, causing it to read past the buffer boundary. Arbitrary memory content is then returned to the attacker in the NSC_TASS cookie in the HTTP response.<br>Key facts:<br>Unauthenticated – no credentials required<br>Requires NetScaler to be configured as a SAML IdP (non-default)<br>Affected: NetScaler ADC and Gateway 14.1 before 14.1-72.61; 13.1 before 13.1-63.18<br>Disclosed: 30 June 2026 (CTX696604)<br>PoC: watchTowr Detection Artifact Generator published same day as disclosure<br>What Lupovis Observed<br>The Actor<br>IP: 146.70.139.154<br>AS9009 (M247 Europe SRL)<br>Tooling: python-requests/2.32.5<br>Method: Automated sweep, consistent request structure across all targets<br>Threat Actor Infrastructure<br>The scanning activity originated from 146.70.139.154, hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany. M247 is a hosting and VPN provider commonly observed in opportunistic scanning campaigns.<br>The host exposes SSH (OpenSSH 7.4) on port 22 — a version released in December 2016 with multiple known vulnerability references, suggesting a disposable or purpose-built scanning node rather than maintained infrastructure.<br>IndicatorValueIP146.70.139.154ASNAS9009 (M247 Europe SRL)OrganisationM247 LTD Frankfurt InfrastructureSSH VersionOpenSSH 7.4SSH HASSH6832f1ce43d4397c2c0a3e2f8c94334eSSH Fingerprintdf:f7:bc:35:50:8b:14:77:96:cf:4c:40:7e:53:67:64The Campaign Timeline<br>Time (UTC)Sensor DeploymentResponseDetail11:46:43Sensor A404Initial probe, no payload sent14:12:04Sensor A404Retry against same target15:53:51Sensor B404Probe against second sensor16:31:56Sensor C200 Full CVE-2026-8451 payload delivered Three separate sensors were targeted within a five-hour window. The actor received a 200 response on the third sensor and immediately delivered the exploit payload.<br>The Payload<br>On receiving a 200 response, the actor submitted the following to POST /saml/login:<br>SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCAgICAgICAgICAgICAgICAgICAgICAg...

URL-decoded and base64-decoded, this resolves to:<br>A bare tag padded with 476 spaces followed by a newline – no attributes, no closing tag. This is the watchTowr overread variant designed to flood NetScaler’s XML parser with whitespace, forcing it to read past the buffer boundary into adjacent memory. The structure matches the CVE-2026-8451 Detection Artifact Generator published by watchTowr on 30 June 2026.<br>This is not generic SAML probing. This is the specific CVE-2026-8451 exploit payload.<br>Why This Matters<br>Pre-KEV Detection<br>CVE-2026-8451 is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Lupovis detected active in-the-wild exploitation within 24 hours of public disclosure – before the vulnerability has been formally recognised as exploited by any government advisory body. Defenders relying solely on KEV for patching prioritisation were exposed during this window.<br>Fleet-Wide Sensor Visibility<br>The same actor hit three separate Lupovis sensors in a single sweep. This is only visible because Lupovis operates fleet-wide decoy infrastructure with centralised telemetry. Point-in-time threat intelligence products or isolated honeypots would see one data point; Lupovis sees the campaign.<br>Decoy Fidelity as a Detection Lever<br>The campaign data reveals a direct relationship between decoy response fidelity and payload capture. The actor’s tooling validated targets before delivering the exploit payload:<br>• Sensors whose decoys returned 404 received the probe but not the payload<br>•...

netscaler lupovis payload saml memory actor

Related Articles