FORSMILE
JA
セキュリティ2026/07/07

[URGENT] New Citrix Bleed-related vulnerability (CVE-2026-8451) in Citrix NetScaler ADC / Gateway exploited within 24 hours of discovery, memory information leak could lead to RCE

A new memory information leak vulnerability, CVE-2026-8451, has been discovered in the SAML authentication process of Citrix NetScaler ADC/Gateway. Exploitation has been confirmed within 24 hours of its disclosure, requiring urgent measures for administrators.

Back to Blog

A new memory information leak vulnerability (CVE-2026-8451) has been reported in the SAML authentication process of Citrix network appliances, NetScaler ADC and NetScaler Gateway. This vulnerability has been confirmed to be exploited within just 24 hours of its disclosure, allowing attackers to remotely and illegitimately read confidential information from system memory. Multiple threat intelligence firms have observed attack payloads against honeypots. Ultimately, it has been pointed out that this could lead to Remote Code Execution (RCE) when combined with other vulnerabilities, and organizations using these as SAML IDPs must take immediate action.

Vulnerability Overview and Scope of Impact

CVE-2026-8451 stems from a flaw in NetScaler's proprietary XML parser used to parse SAML authentication requests. Due to improper termination judgment for attribute values in Base64-encoded XML documents (AuthnRequest) sent to the SAML authentication endpoint (/saml/login), memory reading continues beyond the buffer boundary if newline characters follow. This potentially allows unauthenticated attackers to remotely read the appliance's memory contents.

⚠ CVE Score — 高危険度 / HIGH
8.8HIGHCVE-2026-8451

Although the CVSS score is rated 8.8 (High), considering the history of past Citrix Bleed-related vulnerabilities being exploited in ransomware attacks and the risk of escalation to remote code execution, its severity is extremely high. NetScaler ADC and NetScaler Gateway are affected, particularly when configured as a SAML Identity Provider (IDP).

Specific Impacts and Attack Scenarios

Attackers can repeatedly send maliciously crafted SAML authentication requests to incrementally gather a few bytes of memory information at a time, ultimately reconstructing critical system information. This could include process pointer information, and by chaining it with other vulnerabilities (e.g., zero-day vulnerabilities combined with data obtained from the information leak), it could be exploited for arbitrary remote code execution (RCE).

Threat intelligence firm Lupovis has confirmed that actual attack payloads were sent to multiple honeypots from an IP address based in Frankfurt, Germany, within just 24 hours of Citrix's official advisory and vulnerability detection tool being released. This indicates a severe threat to organizations that delay patch application.

Measures Engineers Should Take Immediately

To ensure your site's security, please implement the following measures immediately.

1. **Prioritize Patch Application**: Apply the security updates released by Citrix on June 30, 2026, as quickly as possible. It is crucial for all NetScaler ADC and NetScaler Gateway users to update to the latest firmware corresponding to their current version.

2. **Temporarily Disable SAML IDP Functionality**: If applying patches is difficult, consider temporarily disabling SAML IDP functionality as an emergency measure. However, this may significantly impact business operations, so the risks and tradeoffs must be carefully evaluated.

3. **Network-Level Access Restrictions**: By restricting access to the SAML authentication endpoint to trusted IP addresses only, the attack surface can be significantly reduced. Below is an example of access restriction using Nginx. Implementing a Web Application Firewall (WAF) is also an effective measure.

nginx
location /saml/login {
    # Allow access only from trusted IP addresses
    allow 192.0.2.0/24;  # IP address range of the management network to allow
    allow 203.0.113.1;   # Specific IP address to allow
    deny all;            # Deny all other access

    # Example of proxying SAML processing to Citrix NetScaler
    # proxy_pass http://backend_netscaler_saml_server;
    # proxy_set_header Host $host;
    # proxy_set_header X-Real-IP $remote_addr;
    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
📦
Amazon で関連書籍・ツールを検索
cybersecurity server security tools
Amazonで探す →(アソシエイトリンク)

References / Official Patch Information

Related articles