CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors.
Threat actors have been quick to leverage vulnerabilities in Citrix NetScaler ADC in the past, and this vulnerability is obviously no exception.
CVE-2023-4966 is a remotely and easily exploitable vulnerability that allows attackers to grab valid session tokens from internet-facing vulnerable Netscaler devices’ memory.
A week later, Mandiant researchers revealed that the vulnerability has been exploited as a zero-day by attackers since late August 2023, to attack professional services, technology, and government organizations.
Mandiant pointed out that updating vulnerable devices is not enough to boot the attackers from them – they advised admins to terminate all active sessions and check whether the attackers left behind web shells or backdoors.
“Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance,” Mandiant researchers noted.