TL;DR
Attackers are exploiting a Citrix NetScaler vulnerability in the wild, tracked as CVE-2026-8451 (CVSS 8.8). The pre-auth memory overread affects appliances configured as a SAML identity provider. watchTowr Labs published full technical details and proof-of-concept exploit code. Exploitation began within 24 hours of that public release.
Why It Matters
NetScaler and NetScaler Gateway sit at the edge of most large enterprise networks. They handle load balancing, SSL offloading, and remote access for thousands of organizations. As a result, a pre-auth flaw here hands attackers a foothold before any login. The public PoC removes the hard part, so the barrier to attack is now very low. Leaked memory can expose session data and even process pointers. In turn, those pointers could seed a larger exploit chain against the appliance.
How the Attack Works
The bug lives in NetScaler’s SAML attribute parser. Citrix describes it as insufficient input validation leading to a memory overread. According to watchTowr Labs research, the parser mishandles unquoted attribute values in a SAML AuthnRequest. It fails to stop at the correct terminator and keeps reading past the intended bounds. An attacker triggers this by sending a crafted, base64-encoded SAML request to /saml/login. No credentials are needed, because the parser runs before authentication.
Consequently, leaked process memory returns to the attacker inside the NSC_TASS cookie. watchTowr also showed that a short malformed request can crash the nsppe process outright. The researchers released a detection artefact generator on GitHub to help defenders test exposure.
Exploitation Status
Threat intelligence firm Lupovis confirmed active exploitation of this Citrix NetScaler vulnerability. In posts on X, it reported an IP address from Frankfurt hitting its sensors on June 30. The attacker validated targets first, then dropped the payload only against hosts that returned a 200 response. That payload matched the watchTowr exploit, which points to real attacks rather than generic scanning. This Citrix NetScaler vulnerability therefore demands urgent attention from every affected shop.
Affected Versions
The flaw affects NetScaler ADC and Gateway 14.1 before 14.1-72.61. It also affects 13.1 before 13.1-63.18. FIPS builds before 14.1-72.61 FIPS and NDcPP builds before 13.1-37.272 fall in scope too. Only appliances configured as a SAML IdP are exploitable.
Patch and Mitigation Steps
Citrix has shipped fixed builds, so administrators should upgrade at once. Move NetScaler ADC and Gateway to 14.1-72.61 or 13.1-63.18 and later. FIPS and NDcPP users should install 14.1-72.61 FIPS or 13.1-37.272. Given active attacks, teams should patch before any further review. Afterward, hunt logs for malformed SAML requests to /saml/login.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.