Citrix
watchTowr also credited after letting “our small pets walk across our keyboard, and watching what happens.”
Citrix has credited a member of JPMorganChase’s cybersecurity team for disclosing severe security vulnerabilities in its Netscaler network software.
That’s the first such attribution that The Stack has seen for a major bank and, it understands, the first public credit for a security disclosure that names America’s largest bank – which has quietly disclosed previous issues.
Citrix credited “Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov” after pushing patches on June 30 for six vulnerabilities in its NetScaler ADC and NetScaler Gateway.
Four of the vulnerabilities (three of which are rated CVSS 8.8) are memory issues; the kind of bug exploited in 2023’s endemic “CitrixBleed” attacks.
They have been allocated CVE-2026-8451, CVE-2026-8452, and CVE-2026-8655. The fourth is CVE-2026-10817. Preconditions for their exploitation and versions affected can be found in Citrix’s advisory.
(NetScaler appliances exposed to CitrixBleed were exploited at scale by threat groups abusing CVE-2023-4966, a bug that let attackers grab valid session tokens from internet-facing Netscaler devices’ memory. These could be used to hijack active sessions, bypassing multi-factor authentication.)
Join peers managing over $100 billion in annual IT spend and subscribe to unlock full access to The Stack’s analysis and events.
Already a member? Sign in