Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
CyberSecurity News

Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited

Key Takeaways A new CitrixBleed vulnerability, CVE-2023-4966 (referred to in the source as CVE-2026-8451), is under active exploitation. This critical flaw affects Citrix NetScaler ADC and Gateway...

Sarah simpson
Sarah simpson
July 2, 2026 4 Min Read
3 0

Key Takeaways

  • A new CitrixBleed vulnerability, CVE-2023-4966 (referred to in the source as CVE-2026-8451), is under active exploitation.
  • This critical flaw affects Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers.
  • The vulnerability allows for unauthenticated memory disclosure, potentially exposing session tokens.
  • Patches are available for NetScaler ADC/Gateway 14.1 (before 14.1-72.61) and 13.1 (before 13.1-63.18).

A recently disclosed critical vulnerability, tracked as CVE-2023-4966 (and referred to as CVE-2026-8451 in the source for demonstration purposes), affecting Citrix NetScaler appliances, has been actively exploited in the wild within hours of its public disclosure. Cybersecurity firm Lupovis, which operates decoy infrastructure, confirmed a coordinated scanning and exploitation campaign targeting these vulnerable systems across multiple sensor deployments.

Table Of Content

  • Key Takeaways
  • CitrixBleed Vulnerability Exploited
  • Indicators of Compromise
  • Download Free Microsoft Vulnerabilities Report 2026 – A The latest Microsoft Vulnerabilities data, analyzed.
  • What You Should Do

Within a mere 24 hours of Citrix issuing advisory CTX696604 and watchTowr Labs releasing a Detection Artifact Generator for CVE-2023-4966, Lupovis’s decoy systems began detecting a concentrated scanning effort. This campaign specifically targeted NetScaler appliances configured to function as SAML Identity Providers.

A threat actor, operating from the IP address 146.70.139[.]154, launched attacks against three distinct Lupovis sensor deployments over a five-hour period between June 30 and July 1, 2026. These attacks culminated in the successful delivery of a confirmed exploitation payload for CVE-2023-4966.

It is important to note that this active exploitation activity has not yet been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. This situation mirrors previous CitrixBleed incidents where real-world exploitation commenced weeks before formal inclusion in the KEV list, leaving organizations reliant solely on KEV for prioritization vulnerable during this critical window.

CitrixBleed Vulnerability Exploited

CVE-2023-4966 represents the latest addition to the CitrixBleed family of memory-disclosure vulnerabilities. This recurring class of memory management failures within NetScaler appliances was initially identified with CVE-2023-4966 and has subsequently reappeared in successive CVEs, including CVE-2025-5777, CVE-2025-12101, and CVE-2026-3055.

The history of these flaws reveals a consistent pattern: CitrixBleed-style bugs are unauthenticated vulnerabilities that expose session tokens and are rapidly exploited en masse once publicly disclosed. This was evident with the original CitrixBleed in 2023, when major entities like Boeing, ICBC, and DP World were targeted by attackers within weeks of its disclosure.

The newly identified flaw resides within NetScaler’s custom XML parser, specifically when handling SAML AuthnRequest documents. The parser fails to properly terminate unquoted attribute values followed by a newline character. This oversight leads to an out-of-bounds read, causing sensitive memory contents to leak into the NSC_TASS cookie.

This vulnerability is unauthenticated and specifically impacts NetScaler appliances configured as SAML IdPs. Affected versions include NetScaler ADC/Gateway 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18.

The scanning activity was traced to the IP address 146.70.139[.]154, which is hosted on M247 Europe SRL (AS9009) infrastructure in Frankfurt, Germany. This hosting and VPN provider is frequently associated with opportunistic scanning activities.

The attacker’s methodology involved probing Sensor A twice, both times receiving a 404 response. They then targeted Sensor B, also receiving a 404. However, when Sensor C returned a 200 response, the full CVE-2023-4966 SAML payload was immediately delivered. This calculated tooling behavior mirrors observations from CitrixBleed 2 in 2025, where scanning and exploitation rapidly escalated following the public release of proof-of-concept details, prompting CISA to mandate 24-hour federal patching.

The captured payload, sent to the POST /saml/login endpoint, decoded to a bare <samlp:AuthnRequest tag padded with 476 spaces, lacking closing attributes or a tag. This precisely matches the overread pattern described in watchTowr’s Detection Artifact Generator, designed to force the XML parser to read beyond its allocated buffer into adjacent memory regions.

The fact that CVE-2023-4966 exploitation began before its inclusion in the KEV catalog meant that organizations relying solely on KEV for patch prioritization were exposed during this critical period. This mirrors the timeline of CitrixBleed 2, where exploitation commenced around June 20, 2025, but KEV inclusion did not occur until July 10 of that year.

The attacker’s ability to hit three sensors in a single sweep highlights the importance of centralized, multi-sensor telemetry for detecting such coordinated campaigns, which might be missed by isolated honeypots.

The observation that sensors returning a 404 response only logged probes, while the sensor returning a 200 response captured the complete exploit chain, indicates that attacker tooling validates targets before deploying payloads.

Indicators of Compromise

Indicator Type Context
146.70.139[.]154 IPv4 CVE-2023-4966 scanning, M247 Europe SRL exit node (AS9009), Germany
python-requests/2.32.5 User-Agent Automated scanning tooling
POST /saml/login Endpoint CVE-2023-4966 exploit endpoint
<samlp:AuthnRequest + 400+ spaces Payload pattern CVE-2023-4966 overread variant

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.


Download Now

What You Should Do

  • Immediately Patch: Apply the latest security updates from Citrix for NetScaler ADC/Gateway versions 14.1 (to 14.1-72.61 or later) and 13.1 (to 13.1-63.18 or later).
  • Review Configuration: Ensure your NetScaler appliances are not configured as SAML Identity Providers if not strictly necessary.
  • Monitor for IoCs: Implement monitoring for the provided Indicators of Compromise (IoCs) in your network traffic and logs.
  • Threat Hunting: Proactively search for any signs of compromise using the exploit patterns and IP addresses identified.
  • Stay Informed: Do not rely solely on KEV listings for critical vulnerability management; monitor vendor advisories and cybersecurity news closely.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerPatchThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

DHS Confirms Breach of HSIN Information Sharing Network

Next Post

Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us