CVE-2026-8451: Citrix NetScaler SAML Memory Overread

1 July 2026 | by Xavier Bellekens

Active Campaign Detected Across the Sensor Fleet

Published: 01 July 2026

Severity: High (CVSS 8.8)

CVE: CVE-2026-8451

StatusActive exploitation observed — not yet listed in CISA KEV
Lupovis DetectionPre-KEV detection — within 24 hours of public disclosure

Summary

Within 24 hours of Citrix publishing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2026-8451, Lupovis decoy infrastructure detected a coordinated scanning campaign targeting Citrix NetScaler appliances configured as SAML Identity Providers across the sensor fleet.

A single threat actor (146.70.139.154) swept across three separate Lupovis sensor deployments in a five-hour window, delivering a confirmed CVE-2026-8451 exploitation payload. This activity is not yet reflected in the CISA KEV catalogue.

Vulnerability Background

CVE-2026-8451 is the latest in the CitrixBleed class of memory disclosure vulnerabilities – a recurring pattern of memory management failures in Citrix NetScaler appliances first identified in CVE-2023-4966 and subsequently rediscovered across multiple successive CVEs (CVE-2025-5777, CVE-2025-12101, CVE-2026-3055).

The vulnerability exists in NetScaler’s custom XML parser used to handle SAML AuthnRequest documents. The parser fails to correctly terminate unquoted XML attribute values when followed by a newline character, causing it to read past the buffer boundary. Arbitrary memory content is then returned to the attacker in the NSC_TASS cookie in the HTTP response.

Key facts:

  • Unauthenticated – no credentials required
  • Requires NetScaler to be configured as a SAML IdP (non-default)
  • Affected: NetScaler ADC and Gateway 14.1 before 14.1-72.61; 13.1 before 13.1-63.18
  • Disclosed: 30 June 2026 (CTX696604)
  • PoC: watchTowr Detection Artifact Generator published same day as disclosure

What Lupovis Observed

The Actor

  • IP: 146.70.139.154
  • AS9009 (M247 Europe SRL)
  • Tooling: python-requests/2.32.5
  • Method: Automated sweep, consistent request structure across all targets

Threat Actor Infrastructure

The scanning activity originated from 146.70.139.154, hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany. M247 is a hosting and VPN provider commonly observed in opportunistic scanning campaigns.

The host exposes SSH (OpenSSH 7.4) on port 22 — a version released in December 2016 with multiple known vulnerability references, suggesting a disposable or purpose-built scanning node rather than maintained infrastructure.

IndicatorValue
IP146.70.139.154
ASNAS9009 (M247 Europe SRL)
OrganisationM247 LTD Frankfurt Infrastructure
SSH VersionOpenSSH 7.4
SSH HASSH6832f1ce43d4397c2c0a3e2f8c94334e
SSH Fingerprintdf:f7:bc:35:50:8b:14:77:96:cf:4c:40:7e:53:67:64

The Campaign Timeline

Time (UTC)Sensor DeploymentResponseDetail
11:46:43Sensor A404Initial probe, no payload sent
14:12:04Sensor A404Retry against same target
15:53:51Sensor B404Probe against second sensor
16:31:56Sensor C200Full CVE-2026-8451 payload delivered

Three separate sensors were targeted within a five-hour window. The actor received a 200 response on the third sensor and immediately delivered the exploit payload.

The Payload

On receiving a 200 response, the actor submitted the following to POST /saml/login:

SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCAgICAgICAgICAgICAgICAgICAgICAg...

URL-decoded and base64-decoded, this resolves to:

<samlp:AuthnRequest                                [476 spaces]

A bare <samlp:AuthnRequest> tag padded with 476 spaces followed by a newline – no attributes, no closing tag. This is the watchTowr overread variant designed to flood NetScaler’s XML parser with whitespace, forcing it to read past the buffer boundary into adjacent memory. The structure matches the CVE-2026-8451 Detection Artifact Generator published by watchTowr on 30 June 2026.

This is not generic SAML probing. This is the specific CVE-2026-8451 exploit payload.

Why This Matters

Pre-KEV Detection

CVE-2026-8451 is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Lupovis detected active in-the-wild exploitation within 24 hours of public disclosure – before the vulnerability has been formally recognised as exploited by any government advisory body. Defenders relying solely on KEV for patching prioritisation were exposed during this window.

Fleet-Wide Sensor Visibility

The same actor hit three separate Lupovis sensors in a single sweep. This is only visible because Lupovis operates fleet-wide decoy infrastructure with centralised telemetry. Point-in-time threat intelligence products or isolated honeypots would see one data point; Lupovis sees the campaign.

Decoy Fidelity as a Detection Lever

The campaign data reveals a direct relationship between decoy response fidelity and payload capture. The actor’s tooling validated targets before delivering the exploit payload:

• Sensors whose decoys returned 404 received the probe but not the payload

• The sensor whose decoy returned 200 received the full CVE-2026-8451 SAMLRequest immediately

This confirms that attacker tooling validates targets before committing to exploitation. Low-fidelity decoys log the probe but miss the payload. High-fidelity decoys that return realistic responses capture the full exploit chain – and by extension, any post-exploitation steps the attacker takes next.

Indicators of Compromise

IndicatorTypeContext
146.70.139.154IPv4CVE-2026-8451 scanning, M247 Europe SRL exit node (AS9009), Germany
python-requests/2.32.5User-AgentAutomated scanning tooling
POST /saml/loginEndpointCVE-2026-8451 exploit endpoint
<samlp:AuthnRequest + 400+ spacesPayload patternCVE-2026-8451 overread variant

Detection Guidance

Endpoint: POST /saml/login

High-confidence indicators:

  • SAMLRequest value decoding to <samlp:AuthnRequest> with no attributes, followed by large whitespace padding
  • Short SAMLRequest values (crash variant: Content-Length ~46 bytes, payload is bare <samlp:AuthnRequest ID=>)
  • Repeated POST /saml/login from same IP with consistent user-agent (automated sweep pattern)
  • NSC_TASS cookie in response containing non-printable binary content (confirms overread landed)

Recommendations

  • Patch immediately – upgrade to NetScaler ADC/Gateway 14.1-72.61 or 13.1-63.18
  • If immediate patching is not possible – disable SAML IdP configuration on the appliance
  • Search your logs for POST /saml/login traffic since 30 June 2026
  • Decode and inspect SAMLRequest values – a base64 value resolving to <samlp:AuthnRequest> followed by whitespace with no attributes is the exploit payload
  • Block or monitor 146.70.139.154 – active scanner as of 01 July 2026 (Mullvad VPN exit, will likely rotate)
  • Check NSC_TASS cookie values in NetScaler logs – binary content confirms successful exploitation

References

  • Citrix Advisory CTX696604: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604
  • watchTowr Labs analysis: https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/
  • watchTowr Detection Artifact Generator: https://github.com/watchtowrlabs/watchTowr-vs-Netscaler-CVE-2026-8451

Lupovis Insights detected active exploitation of CVE-2026-8451 within 24 hours of public disclosure across three sensors, before inclusion in CISA KEV. Fleet-wide campaign visibility is a core capability of the Lupovis decoy fleet.

1 July 2026 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.