
CVE-2026-8451 et al: Citrix NetScaler — DoS & Data Leak Risk (June 2026)
CVE-2026-8451 et al — Citrix NetScaler
Six high-severity vulnerabilities (CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-49975, CVE-2026-13474) have been identified in Citrix NetScaler ADC and Gateway appliances. These include a novel HTTP/2 Bomb denial-of-service vector and a CitrixBleed-style information disclosure flaw. No public exploitation has been reported yet, but the attack surface is broad and the risk of full device compromise is significant.
Attack Vector
Attackers can exploit memory overflow and out-of-bounds read bugs in NetScaler’s HTTP/2 and other protocol handlers. The HTTP/2 Bomb attack leverages crafted HTTP/2 requests to consume server resources, leading to denial-of-service and potential outages. Information disclosure flaws allow attackers to extract sensitive memory contents, which may include credentials or session tokens. Some vulnerabilities require network access to the management or data interfaces; others may be exploited remotely if the affected services are exposed.
Who Is at Risk
All organizations running Citrix NetScaler ADC and Gateway products with unpatched firmware are at risk. Both on-premises and cloud deployments are affected. The vulnerabilities impact multiple configurations, especially those exposing HTTP/2 or running default settings. Enterprises relying on NetScaler for critical application delivery or VPN access are especially vulnerable.
Patch & Mitigate
- Patch: Apply the latest Citrix security updates for NetScaler ADC and Gateway immediately. Refer to Citrix’s official advisory for exact version numbers and hotfixes.
- Workaround: Where patching is delayed, restrict access to management interfaces and disable HTTP/2 if not required.
- Detect: Monitor logs for spikes in HTTP/2 traffic, anomalous resource consumption, and unexpected memory access errors. Look for failed authentication attempts or unusual session activity.
MITRE ATT&CK
- TA0005 — Defense Evasion: Attackers may exploit memory bugs to bypass security controls and extract sensitive data.
- TA0009 — Collection: Information disclosure flaws enable adversaries to collect credentials or session data from device memory.
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

