1 July 2026 | by Xavier Bellekens
Active Campaign Detected Across the Sensor Fleet
Published: 01 July 2026
Severity: High (CVSS 8.8)
CVE: CVE-2026-8451
Within 24 hours of Citrix publishing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2026-8451, Lupovis decoy infrastructure detected a coordinated scanning campaign targeting Citrix NetScaler appliances configured as SAML Identity Providers across the sensor fleet.
A single threat actor (146.70.139.154) swept across three separate Lupovis sensor deployments in a five-hour window, delivering a confirmed CVE-2026-8451 exploitation payload. This activity is not yet reflected in the CISA KEV catalogue.
CVE-2026-8451 is the latest in the CitrixBleed class of memory disclosure vulnerabilities – a recurring pattern of memory management failures in Citrix NetScaler appliances first identified in CVE-2023-4966 and subsequently rediscovered across multiple successive CVEs (CVE-2025-5777, CVE-2025-12101, CVE-2026-3055).
The vulnerability exists in NetScaler’s custom XML parser used to handle SAML AuthnRequest documents. The parser fails to correctly terminate unquoted XML attribute values when followed by a newline character, causing it to read past the buffer boundary. Arbitrary memory content is then returned to the attacker in the NSC_TASS cookie in the HTTP response.
Key facts:
The scanning activity originated from 146.70.139.154, hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany. M247 is a hosting and VPN provider commonly observed in opportunistic scanning campaigns.
The host exposes SSH (OpenSSH 7.4) on port 22 — a version released in December 2016 with multiple known vulnerability references, suggesting a disposable or purpose-built scanning node rather than maintained infrastructure.
Three separate sensors were targeted within a five-hour window. The actor received a 200 response on the third sensor and immediately delivered the exploit payload.
On receiving a 200 response, the actor submitted the following to POST /saml/login:
SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCAgICAgICAgICAgICAgICAgICAgICAg...
URL-decoded and base64-decoded, this resolves to:
<samlp:AuthnRequest [476 spaces]A bare <samlp:AuthnRequest> tag padded with 476 spaces followed by a newline – no attributes, no closing tag. This is the watchTowr overread variant designed to flood NetScaler’s XML parser with whitespace, forcing it to read past the buffer boundary into adjacent memory. The structure matches the CVE-2026-8451 Detection Artifact Generator published by watchTowr on 30 June 2026.
This is not generic SAML probing. This is the specific CVE-2026-8451 exploit payload.
CVE-2026-8451 is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Lupovis detected active in-the-wild exploitation within 24 hours of public disclosure – before the vulnerability has been formally recognised as exploited by any government advisory body. Defenders relying solely on KEV for patching prioritisation were exposed during this window.
The same actor hit three separate Lupovis sensors in a single sweep. This is only visible because Lupovis operates fleet-wide decoy infrastructure with centralised telemetry. Point-in-time threat intelligence products or isolated honeypots would see one data point; Lupovis sees the campaign.
The campaign data reveals a direct relationship between decoy response fidelity and payload capture. The actor’s tooling validated targets before delivering the exploit payload:
• Sensors whose decoys returned 404 received the probe but not the payload
• The sensor whose decoy returned 200 received the full CVE-2026-8451 SAMLRequest immediately
This confirms that attacker tooling validates targets before committing to exploitation. Low-fidelity decoys log the probe but miss the payload. High-fidelity decoys that return realistic responses capture the full exploit chain – and by extension, any post-exploitation steps the attacker takes next.
Endpoint: POST /saml/login
High-confidence indicators:
Lupovis Insights detected active exploitation of CVE-2026-8451 within 24 hours of public disclosure across three sensors, before inclusion in CISA KEV. Fleet-wide campaign visibility is a core capability of the Lupovis decoy fleet.
1 July 2026 | by Xavier Bellekens
Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.