Note: CISA will continue to update this webpage as we have further guidance to impart.
CISA and our partners are responding to active, targeted exploitation of a vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway. The vulnerability is also known as Citrix Bleed. The affected products contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.
Exploitation of this vulnerability could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to “hijack” a user’s session.
On Oct. 10, 2023, Citrix released security updates to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.
On Oct. 17, Citrix updated its Alert to include “exploits of CVE-2023-4966 on unmitigated appliances have been observed.”
On Oct. 18, CISA added an entry for CVE-2023-4966 to its Known Exploited Vulnerabilities (KEV) catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966.
On Oct. 23, Citrix released a blog, providing recommended next steps and a link to Mandiant’s Oct. 17 guidance for remediating and reducing risks related to CVE-2023-4966: Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966).
CISA urges organizations to update unmitigated appliances to the updated versions listed below, hunt for any malicious activity, and report any positive findings to CISA.
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
- Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.
- Citrix Blog: CVE-2023-4966: Critical security update now available for NetScaler ADC and NetScaler Gateway
- Citrix Advisory: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966
- Citrix NetScaler secure deployment guide: Best practices for NetScaler MPX, VPX, and SDX security.
- CISA: BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces
- Assetnote: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
- Palo Alto Networks: Threat Brief: Citrix Bleed CVE-2023-4966