Citrix urges 'immediate' patch for critical NetScaler bug as exploit code made public

At this point, just assume your kit is compromised

Citrix has urged admins to "immediately" apply a fix for CVE-2023-4966, a critical information disclosure bug that affects NetScaler ADC and NetScaler Gateway, admitting it has been exploited.

Plus, there's a proof-of-concept exploit, dubbed Citrix Bleed, now on GitHub. So if you are using an affected build, at this point assume you've been compromised, apply the update, and then kill all active sessions per Citrix's advice from Monday.

The company's first issued a patch for compromised devices on October 10, and last week Mandiant warned that criminals — most likely cyberspies — have been abusing this hole to hijack authentication sessions and steal corporate info since at least late August. 

Six days after the Google-owned threat intel firm sounded the alarm, Citrix weighed in. 

"If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds," the vendor said in a Cloud Software Group blog post about CVE-2023-4966 published on Monday.

"We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," Citrix added.

Oddly, Citrix didn't release any additional details about these targeted attacks, which Mandiant last week said were used to hit tech firms, government organizations, and professional services companies.

A Citrix spokesperson declined to comment on how many organizations have been compromised, and who or what the criminals are targeting in the attacks.

"The security bulletin and blog are the extent of our external statements at this time," the Citrix spokesperson told The Register.

Also last week, Mandiant Consulting CTO Charles Carmakal warned that "organizations need to do more than just apply the patch — they should also terminate all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed." 

Citrix, in the Monday blog, also echoed this mitigation advice and told customers to kill all active and persistent sessions using the following commands:

kill icaconnection -all

kill rdp connection -all

kill pcoipConnection -all

kill aaa session -all

clear lb persistentSessions

The US Cybersecurity and Infrastructure Security Agency (CISA) last Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, and classified the bug as "unknown" in the "used in ransomware campaigns" column. The addition means federal agencies, and those that do business with them, should have this one fixed sharpish.

While the attacks to date are more likely linked to snooping campaigns, "we anticipate other threat actors with financial motivations will exploit this over time," Carmakal said previously. But let's face it, they usually do. ®

More about


Send us news

Other stories you might like