CitrixBleed 2 Active Exploitation Pre-Auth Memory Overread

CitrixBleed 2 leaks NetScaler session tokens through NSC_TASS

July 8, 2026·9 min read·Chris Boker, Founder, CVEasy AI
A bare samlp:AuthnRequest tag on the left, padded with a rust field of whitespace, feeds into a NetScaler XML parser box whose right edge is broken and bleeds fragments into an NSC_TASS Set-Cookie header shown on the right

There is a very specific feeling that hits when a NetScaler advisory lands with the phrase “session tokens” in the impact box. You already know the weekend is going to be about rotating cookies and reading login logs. That was the feeling on June 30, 2026, when Citrix shipped bulletin CTX696604 covering six NetScaler bugs, one of which, CVE-2026-8451, turned out to be a pre-auth memory overread on the SAML identity provider endpoint. Within 24 hours watchTowr Labs shipped a full write-up and Lupovis honeypots recorded probes on July 1. By July 2, CrowdSec confirmed broader in-the-wild attempts on internet-facing appliances, so the industry reached for the name CitrixBleed 2. It is a different bug from the original CitrixBleed (CVE-2023-4966), but the outcome lands in the same place: a NetScaler that hands over fragments of live memory, and among those fragments are session cookies that let an attacker replay a real user’s authenticated session with no password and no MFA challenge.

The parser bug behind the leak

The vulnerable code lives in NetScaler’s own XML parser, the one Citrix built to handle SAML AuthnRequest documents at /saml/login rather than using a mature XML library. That decision matters, because the bug is a violation of the XML specification rather than a memory-corruption exotic. In a compliant parser, an unquoted attribute value has to end at the first whitespace character. NetScaler’s parser only stops when it sees a null byte, a closing angle bracket, or a matching quote. Whitespace passes right through it. That is the whole bug in one sentence, per watchTowr’s analysis.

If an attacker sends a bare <samlp:AuthnRequest> element whose attribute never actually closes, the parser walks off the end of the buffer looking for a terminator, and keeps reading adjacent memory until one of those three control bytes shows up. The part that turns the read into a leak is what NetScaler does next: it echoes the bytes it read back to the requester through the NSC_TASS cookie set in the HTTP response. That is one HTTP round trip from “parser mistake” to “attacker sees appliance memory,” no authentication required, and the appliance never logs it as an error.

The 476 space payload

The public proof of concept is not exotic. A bare <samlp:AuthnRequest> element, one unquoted attribute (AssertionConsumerServiceURL is the typical target because reordering it works reliably in the parse loop), then 476 spaces, then a newline. The whitespace flood is what forces the parser past the end of its intended buffer. The trailing newline is what causes the leaked bytes to end up encoded into a Set-Cookie header on the way back out. Each request returns a fragment. Repeat the request in a loop, and the fragments accumulate.

The original CitrixBleed leaked kilobytes per request. This one does not, because any null byte or > character in adjacent memory terminates the overread, so most probes return short slices. That does not save anyone. On an appliance that has been running for weeks fronting a workforce SAML login flow, the memory behind that parse buffer is dense with session material, and given enough requests an attacker rebuilds a valid NSC_AAAC cookie or a live NetScaler session token by concatenating fragments. Replaying that cookie against the same appliance drops the attacker into an authenticated session belonging to a real user, with MFA already satisfied because the original user already satisfied it.

The core problem: A pre-auth SAML request causes NetScaler to echo fragments of appliance memory back to the sender inside the NSC_TASS cookie. That memory is dense with the session cookies of every user currently authenticated through the appliance, and replaying one of those cookies bypasses the SAML flow, the password, and the MFA challenge in one step.

Why a straight CVSS 8.8 mis-ranks the emergency

Citrix rated CVE-2026-8451 at CVSS 8.8, which puts it below every base score 9.x flaw in a typical Tuesday advisory pull, and below plenty of internally scored 9.0 findings that a normal queue processes first. It is the wrong signal for this bug.

A CVSS 8.8 pre-auth memory read on a random SaaS admin panel is a real bug that a defender can afford to schedule, but the same 8.8 sitting on the login front door for an entire workforce, echoing stolen session material back to the attacker inside a cookie, is a live incident the moment the appliance is reachable from the internet. The base score does not know which of those two you are running, and the vendor advisory is not going to tell you either. If the queue only reads CVSS, this bug sits behind three or four theatrical 9.8s that nobody is exploiting yet, and the compromise happens in the gap. SecurityWeek captured the timeline: patch on June 30, working exploitation attempts inside a day.

Reading CVE-2026-8451 through TRIS

Inside CVEasy AI, TRIS (the Threat and Risk Intelligence Scoring engine) resolves that gap by walking a set of layers on top of the CVSS base. Four of them decide this finding.

Exploitation status. Confirmed active, less than 24 hours from disclosure, with honeypot captures at Lupovis on July 1 and broader scan confirmations from CrowdSec on July 2, 2026, which alone lifts the finding to the top exploitation tier. Honest caveat: a public proof of concept plus honeypot probes are strong signals, but they are not yet the same evidence quality as a documented session hijack against a named victim, and TRIS keeps that distinction visible in the score.

Blast radius by role. The SAML IdP configuration on a NetScaler is the identity front door for the entire workforce that uses it, so every browser session that authenticated through the appliance since its last restart is potentially represented in the memory an attacker can pull. That is a fan-out CVSS does not weight, but TRIS does.

Mechanism weight. A pre-auth memory read that lets an attacker replay a session cookie is not the same as a pre-auth read of harmless configuration text, so TRIS reads the outcome rather than the classifier and lands this in the top mechanism band because replaying a live session past MFA is what the primitive actually buys.

Real environmental exposure. This is the layer where the same CVE scores differently for different customers. A NetScaler ADC or Gateway configured as a SAML IdP with an internet-facing VIP earns the top band (ACT). The same appliance behind a management network, without the SAML IdP role loaded, drops several bands because the vulnerable code path is unreachable, and a patched appliance drops out entirely. That last point is the difference between the queue you can sleep on and the queue that has you rotating everyone’s cookies at 2 a.m.

Patch first, then hunt and rotate

The mitigation ladder has three rungs and none of them are optional.

1. Patch to a fixed build per CTX696604. NetScaler ADC and Gateway on the 14.1 branch need 14.1-72.61 or later. The 13.1 branch needs 13.1-63.18 or later. FIPS and NDcPP variants have their own build lines (14.1-72.61 FIPS on 14.1-FIPS, and 13.1.37.272 on 13.1-FIPS and 13.1-NDcPP), per the vendor bulletin summarized by The Hacker News. If patching cannot happen inside the day, disable the SAML IdP role temporarily. Removing that role removes the attack surface entirely, because the vulnerable code path is only reachable when the appliance is acting as an IdP.

2. Hunt before you assume you were quiet. The tell is boring on the wire. Look through appliance access logs for POSTs to /saml/login where the request body is unusually small, contains the string samlp:AuthnRequest, and never closes the tag. Correlate those against outbound responses whose NSC_TASS cookie value is unusually long or contains non printable content. CrowdSec has published a detection signature, and watchTowr shipped an artefact generator that helps validate custom detections against a real exploitation attempt.

3. Invalidate every session and rotate every issued token. Any session live on the appliance during the exploitation window is presumed compromised, which means invalidating NSC_AAAC and NSC_TASS cookies, forcing reauthentication for every SAML federated application that trusted the appliance as an IdP, and rotating any long-lived credential material issued through the flow, at the acceptable cost of logging every user out in the process.

Cookie rotation is not optional. The attacker did not need to crack a password. They pulled a cookie out of appliance memory and replayed it against a valid session. Every cookie the appliance issued through the SAML IdP flow while it was vulnerable and exposed has to be treated as burned, whether or not you have proof that a specific one was replayed.

How CVEasy AI surfaces this

CVEasy AI, the number one local-first CTEM platform, ingests the vendor advisory, the CISA feed, and the detection signals from CrowdSec, Lupovis, and watchTowr on the day they publish, then runs each finding through TRIS against the appliance inventory you already loaded on your own hardware. If any NetScaler ADC or Gateway in that inventory has the SAML IdP role loaded and a VIP reachable from the internet, TRIS returns the ACT band and the ticket that opens on your morning queue is the concrete one: patch this VIP to 14.1-72.61 or 13.1-63.18, rotate these cookies, hunt these /saml/login paths. Nothing about that ticket leaves your machine, because the inventory and the analysis stay on the hardware you own, and a bug that decides itself on real exposure is exactly the kind that rewards it.

Sources: watchTowr Labs, CrowdSec, Citrix CTX696604, The Hacker News, CyberScoop, SecurityWeek