What We Do
How We Do
Get Started
Security advisories

Widespread Exploitation of Citrix Vulnerability (CVE-2023-4966)

November 1, 2023 | 2 MINS READ

Speak With A Security Expert Now



eSentire is aware of reports that the critical Citrix vulnerability, CVE-2023-4966, is now under active widespread exploitation. As of October 30th, at least two separate ransomware groups have been identified exploiting the vulnerability in real-world attacks. Since widespread exploitation has been confirmed, it is critical that organizations, using the impacted NetScaler ADC and NetScaler Gateway products, apply security patches and remediation steps immediately.

CVE-2023-4966 (CVSS: 9.4) is an unauthenticated sensitive information disclosure vulnerability. Successful exploitation allows attackers to hijack authenticated sessions, bypass Multi-Factor Authentication (MFA) and enable a variety of malicious actions, such as code execution or data exfiltration. The vulnerability was initially disclosed on October 10th, and limited targeted attacks were traced back to August 2023. As technical details and exploitation information is now public, the eSentire Threat Intelligence team assesses that it is likely that widespread opportunistic exploitation will increase until the majority of users have applied the relevant security patches.

What we’re doing about it

What you should do about it

Additional information

CVE-2023-4966 was initially discovered by Citrix researchers, who disclosed the vulnerability along with security patches, on October 10th. Shortly after public disclosure, Mandiant reported attacks ranging back to August of 2023; this activity was highly targeted, and victims included organizations in the professional services, technology, and government industries. Threat actors were identified exploiting the vulnerability to hijack authenticated sessions, allowing for Multi-Factor Authentication (MFA) bypass.

Proof-of-Concept (PoC) exploit code and technical details relating to CVE-2023-4966 are publicly available; these details make exploitation trivial for even low-skilled actors. Additionally, security researchers have observed a Python script that automates the attack chain, simplifying widespread abuse. Due to the widespread use of Citrix products and the ease of exploitation, continued exploitation and adoption by additional threat actor groups is expected.

Citrix has confirmed the following versions of NetScaler ADC and NetScaler Gateway are vulnerable and need to be addressed:

It should be noted that NetScaler ADC and NetScaler Gateway version 12.1 is vulnerable but has reached End-of-Life and will no longer receive security updates. Organizations using version 12.1, need to update to a supported version as soon as possible.


[1] https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
[2] https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18
[3] https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/
[4] https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966

View Most Recent Advisories