Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

RSAC™ 2025 Conference

May

Computing Cybersecurity Festival

May

SIM Houston Women's Roundtable

May

CISO Strategy Virtual Meetings Seattle

May

May TRU Intelligence Briefing

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

eSentire is aware of reports that the critical Citrix vulnerability, CVE-2023-4966, is now under active widespread exploitation. As of October 30th, at least two separate ransomware groups have been identified exploiting the vulnerability in real-world attacks. Since widespread exploitation has been confirmed, it is critical that organizations, using the impacted NetScaler ADC and NetScaler Gateway products, apply security patches and remediation steps immediately.

CVE-2023-4966 (CVSS: 9.4) is an unauthenticated sensitive information disclosure vulnerability. Successful exploitation allows attackers to hijack authenticated sessions, bypass Multi-Factor Authentication (MFA) and enable a variety of malicious actions, such as code execution or data exfiltration. The vulnerability was initially disclosed on October 10th, and limited targeted attacks were traced back to August 2023. As technical details and exploitation information is now public, the eSentire Threat Intelligence team assesses that it is likely that widespread opportunistic exploitation will increase until the majority of users have applied the relevant security patches.

What we’re doing about it

The eSentire Threat Intelligence team has tracked this vulnerability since its release, and will continue to monitor the vulnerability for additional details and detection opportunities
eSentire MDR for Network has rules in place to identify exploitation attempts
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify this vulnerability
eSentire MDR for Log has detections in place to identify unusual login activity
IP addresses, associated with real-world attacks, have been blocked via the eSentire Global Block list

What you should do about it

After performing a business impact review, apply the relevant security patches
- Alternative mitigations are not available
Citrix recommends disabling all active and persistent sessions, to prevent token re-use, using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
Review potentially impacted systems for unusual activity or other signs of compromise, such as webshell or backdoor deployment
Consider rotating user credentials
It is recommended that eSentire MDR for Log customers make sure they are ingesting Citrix NetScaler logs

Additional information

CVE-2023-4966 was initially discovered by Citrix researchers, who disclosed the vulnerability along with security patches, on October 10th. Shortly after public disclosure, Mandiant reported attacks ranging back to August of 2023; this activity was highly targeted, and victims included organizations in the professional services, technology, and government industries. Threat actors were identified exploiting the vulnerability to hijack authenticated sessions, allowing for Multi-Factor Authentication (MFA) bypass.

Proof-of-Concept (PoC) exploit code and technical details relating to CVE-2023-4966 are publicly available; these details make exploitation trivial for even low-skilled actors. Additionally, security researchers have observed a Python script that automates the attack chain, simplifying widespread abuse. Due to the widespread use of Citrix products and the ease of exploitation, continued exploitation and adoption by additional threat actor groups is expected.

Citrix has confirmed the following versions of NetScaler ADC and NetScaler Gateway are vulnerable and need to be addressed:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300

It should be noted that NetScaler ADC and NetScaler Gateway version 12.1 is vulnerable but has reached End-of-Life and will no longer receive security updates. Organizations using version 12.1, need to update to a supported version as soon as possible.

References:

[1] https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
[2] https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18
[3] https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/
[4] https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

Unlocking New Possibilities for Network Monitoring and Security with…

Sock(et) Puppet: How RansomHub Affiliates Pull the Strings

Phish & Chips: Serving Up Tycoon 2FA’s Secrets

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Maximum Severity SAP Vulnerability Exploited

CrushFTP Authentication Bypass