Threats / Citrix NetScaler ADC/Gateway / CVE-2023-4966

CVE-2023-4966 · EUVD no mirror located¹¹ · GCVE no mirror located¹² Verified 2026-06-06

Citrix NetScaler session-token disclosure “Citrix Bleed”

An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.

Verdict

Today item, not a backlog item.

Known-exploited, weaponized with public proof-of-concept, and used by named ransomware crews against internet-facing edge appliances. If you run an exposed, unpatched NetScaler, assume-breach is the correct posture — not a patch window.

CISA KEV Yes · 2023-10-18³Ransomware use Confirmed⁴EPSS Very high (verify live)⁸Exploit Weaponized · public PoC⁷Named actors LockBit 3.0 +⁴CVSS 9.4 (vendor)⁵

Is it exploitable?

— the evidence, ranked above the score

Exploit available

Yes — fully weaponized. Public technical analysis and proof-of-concept demonstrate token extraction with a single crafted request.We link the existence of the exploit; we do not host or redistribute payloads.

Assetnote ↗Confirmed

Exploited in the wild

Listed in the CISA Known Exploited Vulnerabilities catalog on 2023-10-18, flagged for known ransomware use. Mandiant observed exploitation as early as late August 2023.

CISA KEV ↗Mandiant ↗Confirmed

Probability (EPSS)

Top-percentile likelihood of exploitation activity.EPSS is a daily-changing model output — we cite the source rather than freeze a number. Open the source for today's value.

FIRST EPSS ↗High

Internet exposure

Tens of thousands of NetScaler ADC/Gateway instances are internet-facing; thousands remained unpatched well after disclosure.Live host counts vary by day and scanner — treat as directional and verify against the exposure source.

Shadowserver ↗Reported

Affected / fixed

NetScaler ADC & Gateway 14.1 < 14.1-8.50, 13.1 < 13.1-49.15, 13.0 < 13.0-92.19 (plus FIPS/NDcPP builds). 12.1 is end-of-life and remains vulnerable. Exact fixed builds in the vendor bulletin.

Citrix CTX579459 ↗Confirmed

WeaknessCWE-119 · Memory Buffer Bounds ErrorMemory safety

Who’s exploiting it?

— attribution turns risk into urgency

LockBit 3.0 affiliates Ransomware

CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.⁴

T1190 Exploit Public-Facing App ↗T1539 Steal Web Session Cookie ↗T1078 Valid Accounts ↗

Additional ransomware & criminal groups Multiple

Incident responders attribute Citrix Bleed exploitation beyond LockBit, including other ransomware and extortion crews, across finance, logistics, legal, and manufacturing victims. Treat this as a broadly-held capability, not a single-actor tool.⁶

Source: Mandiant ↗

Why it matters

— the attack path, told twice: adversary, then board

Front door — unauthenticated access narrative 1

Attacker

No credentials, no phishing. I send crafted requests to an internet-facing NetScaler and read live session tokens out of memory.

Business

This is where the incident starts — at your own remote-access appliance. Assume-breach planning begins at this exact exposure.

Keys to the kingdom — identity takeover narrative 2

Attacker

I replay a hijacked session to authenticate as a real user — bypassing MFA entirely, because the session already cleared it — and pivot toward admin and domain control.

Business

Your MFA didn't fail; it was skipped. One exposed appliance becomes trusted access into the environment behind it.

Data at risk — exfiltration narrative 4

Attacker

With valid sessions and lateral reach, I locate and exfiltrate the data that defines your liability before anyone notices the foothold.

Business

Breach notification, regulatory exposure, and loss of customer or proprietary data — the part that outlives the incident.

Lights out — disruption & extortion narrative 5

Attacker

I deploy ransomware across what I now control and hold operations for ransom — the exact LockBit 3.0 playbook for this exploit.

Business

Downtime, ransom demand, and reputational damage. Because a named crew already runs this path against peer organizations, this is a forecast — not a hypothetical.

What to do

— defensible action

Patch to the fixed build for your branch (14.1-8.50 / 13.1-49.15 / 13.0-92.19 or later); retire end-of-life 12.1. Per the vendor bulletin.⁵
Patching is not enough — kill active sessions. Stolen tokens stay valid after the patch. Terminate all active and persistent ICA/PCoIP sessions (kill icaconnection -all, kill pcoipConnection -all) as Mandiant and CISA direct.⁶
Hunt for prior compromise on any appliance that was exposed and unpatched between disclosure and remediation — assume token theft already happened.⁴

Say it to the boardA named ransomware group is using this exact flaw to walk past MFA on internet-facing appliances like ours and deploy ransomware. This is the cost of an emergency change now versus an incident later — fund the change.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

KEV listing + ransomware flag (CISA)

LockBit 3.0 attribution (CISA/FBI/MS-ISAC)

Weaponized public PoC (Assetnote)

Mechanism + fixed builds (Citrix, Mandiant)

Coverage gaps — stated, not hidden

No EUVD / GCVE mirror located (pre-EUVD disclosure) — single-authority dependency for the identifier.

EPSS & live exposure counts are time-varying; we link the source rather than freeze a stale number.

Full victim list is incomplete by nature — absence of a name is not absence of compromise.

Disclosure & credit²

Catalogued by CitrixCNA

Credited with finding itNo finder named in the public CVE record — the work behind this find is unattributed.