CVE-2026-8451 “CitrixBleed”: Citrix NetScaler ADC/Gateway Memory Overread Exploited Within 24 Hours of Disclosure

CVE-2026-8451 “CitrixBleed”: Citrix NetScaler ADC/Gateway Memory Overread Exploited Within 24 Hours of Disclosure

CVE: CVE-2026-8451 | CVSS: 8.6 (High) | Vendor: Citrix | Product: NetScaler ADC/Gateway


What Is the Vulnerability

CVE-2026-8451 is the latest entry in the “CitrixBleed” family of vulnerabilities affecting Citrix NetScaler ADC and Gateway appliances. It is an unauthenticated memory overread vulnerability that allows a remote attacker to read sensitive data directly from device memory without any credentials. The exposed data can include authentication session tokens, cleartext credentials, SSL/TLS certificate private keys, and other confidential information stored in the appliance’s memory at the time of exploitation.

Because NetScaler functions as both an application delivery controller and a remote access gateway, it sits at the network edge — making it a high-value target. Compromising a NetScaler device effectively grants an attacker a foothold at the boundary between the internet and the internal network, with access to VPN tunnels and load-balanced backend services.

Versions Affected

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-29.72
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-55.39
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-94.25
  • NetScaler ADC 12.1 (EOL) — no patch available; must upgrade

Exploited?

Yes — exploited within 24 hours of disclosure. Citrix released the patch on June 30, 2026. On the same day, watchTowr Labs published a detailed technical analysis, including proof-of-concept code. According to Lupovis threat intelligence, active exploitation was observed in the wild within 24 hours of the advisory. This mirrors the pattern seen with previous CitrixBleed vulnerabilities (CVE-2023-4966, CVE-2024-6154), where attackers moved with extreme speed to compromise unpatched appliances before defenders could react.

Fix

Apply the June 30, 2026 Citrix security update immediately. The patches are available through the standard Citrix support portal and appliance update mechanism:

  • ADC 14.1 → upgrade to 14.1-29.72 or later
  • ADC 13.1 → upgrade to 13.1-55.39 or later
  • ADC 13.0 → upgrade to 13.0-94.25 or later
  • ADC 12.1 → no patch; upgrade to a supported version immediately

Recommendations

  • Patch immediately. If your NetScaler appliance was internet-facing and unpatched after July 1, 2026, assume its memory was accessed and all resident secrets are compromised.
  • Rotate all credentials that may have been present in appliance memory, including LDAP/AD bind credentials, RADIUS secrets, and any certificates whose private keys could have been resident.
  • Audit NetScaler appliances for indicators of compromise using the IoCs published by Citrix and watchTowr. Look for unusual authentication events, unexpected session tokens, and anomalous outbound connections.
  • Review access logs for the period between June 30 and patch application. The UK NCSC has issued an urgent advisory recommending all NetScaler operators take these steps.
  • Segment management interfaces so that administrative access is not exposed to the internet, reducing the attack surface for future vulnerabilities.

References

  • Security.nl — CitrixBleed coverage
  • Citrix Security Bulletin (June 30, 2026)
  • watchTowr Labs technical analysis
  • Lupovis threat intelligence report on exploitation timeline
  • UK NCSC urgent advisory

Part of the Vulnerability Intelligence series. See the July 3, 2026 VIR.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!