CitrixBleed vulnerability exploited by a ransomware gang

At the end of October, AssetNote released a proof-of-concept for the CVE-2023–4966 associated with sensitive information disclosure for Citrix Netscaler ADC devices and was given a severity rating of 9.4 (Critical).

After the release of PoC, there seems to be a mass exploitation of this vulnerability by threat actors. However, the technical details of this vulnerability were already obtained by threat actors and are currently being exploited in the wild.

CVE-2023-4966: Sensitive Data Exposure in Citrix Netscaler ADC 

Threat actors can exploit this vulnerability to gain memory access to the affected devices. This memory also holds the session tokens, which allow the login bypass and all multi-factor authentications.

Moreover, once threat actors gain complete authentication over the device, they can perform various malicious actions.

Additional reports indicate that this vulnerability is being exploited by random people who are just owning anything to extract the session tokens. This report was extracted from GreyNoise Honeypots.

This security flaw is currently being exploited at a large scale, as per Kevin Beaumont’s observation. Previously, it was only utilized for targeted exploitation to gain access to a network and had not spread widely.

It is recommended for organizations to upgrade to the latest versions of Citrix Netscaler ADC to prevent this vulnerability from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.