Vulnerabilities

Citrix NetScaler Memory Flaw Under Active Exploitation by Four Threat Groups

Citrix NetScaler Memory Flaw Under Active Exploitation by Four Threat Groups

A high-severity memory overread vulnerability in Citrix NetScaler is being actively exploited across multiple threat campaigns. Citrix disclosed CVE-2026-8451, a CVSS 8.8 flaw in NetScaler Application Delivery Controller and NetScaler Gateway and at least four distinct threat groups are already using it. The vulnerability stems from insufficient input validation and allows attackers to read memory contents from affected devices including session tokens that can be used to hijack authenticated user sessions without needing credentials.

Citrix has not publicly commented on reports of active exploitation as of the time of writing. That silence is not reassuring given what the same silence cost organizations in 2023.

This Is Not the First Time

CVE-2026-8451 is functionally similar to CVE-2023-4966, the vulnerability known as CitrixBleed. That 2023 flaw, also a memory disclosure bug in NetScaler ADC and Gateway, allowed unauthenticated attackers to retrieve valid session tokens from device memory and bypass multi-factor authentication entirely. CISA issued explicit guidance on CVE-2023-4966 in October 2023 after widespread exploitation. LockBit ransomware operators were among the groups that weaponized it at scale. Recovery from those incidents ran into months for some organizations.

The 2025 variant, CVE-2025-5777, extended the same class of bug. Arctic Wolf documented active exploitation of CVE-2025-5777 in NetScaler ADC and Gateway, confirming that memory disclosure in this product line had not been fully addressed between 2023 and now. Splunk’s security research team published detection and mitigation guidance for CVE-2025-5777, noting that the mechanism allowing session token extraction remained viable despite the intervening patches.

CVE-2026-8451 represents the third generation of the same structural problem. Citrix’s pattern of issuing partial fixes that leave the underlying memory handling behaviour intact is a fair characterization of what the vulnerability history shows, and organizations that patched CitrixBleed in 2023 and considered the class of risk closed are now finding out that was incorrect.

What the Flaw Actually Does

The vulnerability sits in the input validation layer of NetScaler ADC and Gateway. When a specially crafted request is sent to an affected device, insufficient bounds checking causes the device to read beyond the intended memory buffer. The overread returns data from adjacent memory which on a gateway device processing active user sessions will frequently include authentication tokens.

Those tokens can be replayed directly against internal applications the gateway protects with no further exploitation required. No malware deployment. No lateral movement tools. An attacker with a valid stolen session token simply looks like an authenticated user to every downstream system.

Akamai’s security research team documented the same token extraction mechanics in their mitigation guidance for CVE-2025-5777, which shares the same attack class as CVE-2026-8451. Their analysis confirmed that App and API Protector rules could detect anomalous memory probe requests at the edge, but that network-layer mitigations are temporary measures, not a substitute for patching the device itself.

CVE-2026-3055 is listed alongside CVE-2026-8451 in Citrix’s current advisory. Citrix has not published a full technical breakdown of CVE-2026-3055 at the time of writing and no independent researcher has confirmed its precise scope. Treat any claim about its severity as provisional until that changes.

Four Groups, Active Now

Dark Reading reported that at least four separate threat groups are currently exploiting CVE-2026-8451. The identity of those groups has not been confirmed in any government advisory at the time of publication. CISA has not yet added CVE-2026-8451 to its Known Exploited Vulnerabilities catalogue, though CISA added CVE-2023-4966 within days of confirmed exploitation becoming public knowledge in 2023, and the same timeline is plausible here.

Cybersecurity Dive confirmed exploitation is active, citing multiple sources with visibility into NetScaler deployments. ReliaQuest published background and recommendations on the original CitrixBleed exploitation campaign in 2023 and was among the first to document the session hijacking mechanics that made that vulnerability so damaging.

The presence of multiple threat groups exploiting the same flaw simultaneously is a signal that proof-of-concept code is circulating beyond any single actor. That is the point at which organizations with unpatched internet-facing NetScaler devices should assume exploitation attempts are already hitting their infrastructure, not just a risk to plan for.

Patch, Then Check for Existing Compromise

Apply Citrix’s current security patches for CVE-2026-8451 immediately. Any NetScaler ADC or Gateway device exposed to the internet is in scope. Patching a compromised device does not evict an attacker who has already extracted session tokens, so patching and investigation need to run in parallel, not sequentially.

Terminate all active sessions on affected devices before or immediately after patching. This is the step organisations skipped in 2023 and paid for. A valid stolen session token remains usable until the session is explicitly invalidated, regardless of whether the device has been patched. CISA’s 2023 guidance on CVE-2023-4966 was explicit on this point and nothing about CVE-2026-8451 changes that requirement.

Review NetScaler access logs for anomalous memory probe requests in the period before patching. Akamai’s mitigation guidance for CVE-2025-5777 includes specific request patterns associated with memory overread exploitation that apply to the same attack class. Splunk’s detection guidance for CVE-2025-5777 provides SIEM queries that can be adapted for CVE-2026-8451 log analysis.

If patching cannot happen immediately, restrict external access to the NetScaler management interface and place the device behind an upstream WAF or API protection layer configured to drop requests matching known memory probe patterns. That buys time. It does not close the vulnerability.

References

  1. CitrixBleed-ing Again? NetScaler Vulnerability Under Attack
  2. Citrix NetScaler products confirmed to be under exploitation
  3. Follow-up updates on CVE-2025-5777 Citrix Bleed 2
  4. CitrixBleed 2 Vulnerability Detection and Mitigation
  5. Mitigating CitrixBleed 2 CVE-2025-5777 with App and API Protector
  6. Guidance for Addressing CVE-2023-4966 Citrix Bleed
  7. Citrix Bleed Vulnerability Background and Recommendations
  8. CitrixBleed isn’t going away

This post is also available in: Svenska

Per Häggdahl

Per Häggdahl is Head of Business Unit and CISO at eBuilder Security, with more than 20 years securing systems for banks, central banks, stock exchanges and central securities depositories, now leading the team that brings that same enterprise-grade protection to organisations of every size.