preloader

· security devops digital-security cve citrix netscaler load-balancer infrastructure europe

Citrix Patches Six NetScaler Flaws, Including a CitrixBleed Sequel and a New ‘HTTP/2 Bomb’

Source: The Hacker News / NCSC UK

Citrix has published security bulletin CTX696604, patching six vulnerabilities in NetScaler ADC and NetScaler Gateway. Two of them stand out. CVE-2026-8451 is an out-of-bounds memory read that security researchers are already describing as a sequel to CitrixBleed, the 2023 flaw that ransomware crews exploited for months against thousands of internet-facing appliances. CVE-2026-13474, nicknamed the “HTTP/2 Bomb,” lets an attacker knock an appliance offline with nothing more than a specially crafted HTTP/2 request.

The CitrixBleed echo

CVE-2026-8451, rated 8.8 on CVSS, lives inside NetScaler’s XML parser. When an appliance is configured as a SAML identity provider, the parser reads past the intended bounds of an XML attribute value in a login request, and the appliance can be tricked into returning restricted memory in its HTTP response. That is precisely the shape of the original CitrixBleed vulnerability, which leaked session tokens well enough to let attackers bypass authentication and multi-factor authentication entirely, and which fuelled a wave of ransomware intrusions across European retailers, universities, and government agencies before most organisations had even applied the patch.

A second high-severity flaw, CVE-2026-8452, also scoring 8.8, is a memory overflow affecting Gateway and AAA virtual server configurations that leads to unpredictable behaviour and denial of service.

A denial-of-service bug that needs a second step

CVE-2026-13474, scoring 8.7, triggers a denial-of-service condition through crafted HTTP/2 requests when HTTP/2 is enabled on an HTTP profile. Unlike the other five flaws in this bulletin, patching alone does not fully close it. Administrators also need to manually configure the new Http2SmallWndTimeout parameter, which governs how long the appliance waits on stalled HTTP/2 small-window streams before giving up. Teams that patch and move on without touching that setting will still be exposed.

Three further vulnerabilities, CVE-2026-8655, CVE-2026-10816, and CVE-2026-10817, round out the bulletin. Fixed versions are NetScaler ADC and Gateway 14.1-72.61 and later, and 13.1-63.18 and later, including FIPS and NDcPP builds.

Why this matters beyond the CVSS score

Citrix says it has no reports of active exploitation at the time of writing. That is worth almost nothing as a planning assumption. The original CitrixBleed went from disclosure to mass ransomware exploitation in a matter of weeks, and every flaw in the same memory-disclosure family since has been treated by attackers as a fast-moving opportunity rather than a theoretical risk. The UK’s National Cyber Security Centre and NHS England Digital have both issued alerts on this bulletin, a strong signal of how seriously critical infrastructure and healthcare operators in Europe are expected to treat it.

This is also the second critical, pre-authentication-adjacent vulnerability disclosed in a major load balancing or application delivery product in the space of three days, following CVE-2026-8037 in Progress Kemp LoadMaster. Two unrelated vendors, two separate root causes, one shared lesson: the appliances sitting in front of your applications, terminating TLS and authenticating every user, are consistently the weakest link in enterprise networks, and they are consistently the slowest to get patched because taking one offline touches everything behind it.

What we recommend

  • Apply CTX696604 to every NetScaler ADC and Gateway instance in your estate without delay, prioritising anything configured as a SAML IdP
  • Manually configure the Http2SmallWndTimeout parameter after patching, since the update alone does not fully remediate CVE-2026-13474
  • Review authentication and session logs for anomalies predating the patch, given the CitrixBleed precedent of exploitation before public disclosure
  • Treat NetScaler, VPN gateways, and other perimeter appliances as first-class assets with accelerated patch SLAs, not as infrastructure that is patched on the next maintenance window
  • Build a standing inventory of every load balancer, WAF, and ADC vendor across your organisation so the next disclosure does not start with “do we even run this”

If your organisation needs help assessing exposure to CVE-2026-8451 and the rest of the CTX696604 bulletin, hardening perimeter infrastructure against the next CitrixBleed-style flaw, or building a patch management process that treats edge appliances with appropriate urgency, contact Excello Digital. We help European teams keep the infrastructure everything else depends on out of the headlines.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!