Connect with us

Hi, what are you looking for?



Citrix, Gov Agencies Issue Fresh Warnings on CitrixBleed Vulnerability

Administrators are urged to patch the recent CitrixBleed NetScaler vulnerability as LockBit starts exploiting it.

Australian and US governmental agencies and Citrix this week issued fresh warnings on the exploitation of a critical NetScaler product vulnerability.

Tracked as CVE-2023-4966 (CVSS score of 9.4) and referred to as CitrixBleed, the unauthenticated bug leads to information disclosure. It impacts Netscaler ADC and Gateway appliances that are configured as a gateway or an AAA server.

Patched in October, the flaw had been exploited as a zero-day since August, and mass exploitation started roughly three weeks ago, around the same time that a proof-of-concept (PoC) exploit and a technical writeup were published.

In late October, the tech giant warned that threat actors were exploiting the issue to perform session hijacking, completely bypassing authentication, including MFA protections.

On Monday, Citrix urged administrators to apply the available patches as soon as possible, citing “a sharp increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs” and reports that the LockBit ransomware gang has started exploiting it.

An alert on LockBit targeting CitrixBleed also came from the US cybersecurity agency CISA, the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Cyber Security Center (ACSC), on Tuesday.

“Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” the governmental agencies warn.

LockBit, the four agencies say, exploited CitrixBleed to gain initial access to Boeing Distribution Inc., the parts and distribution subsidiary of aeronautical giant Boeing.

Advertisement. Scroll to continue reading.

Armed with valid cookies obtained by exploiting CVE-2023-4966, the LockBit affiliates then established an authenticated session with the appliance, which allowed them to execute a PowerShell script for malware deployment.

“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” the agencies note.

In their alert, CISA, FBI, MS-ISAC, and ACSC provide a list of indicators of compromise (IoCs) associated with the LockBit attack on Boeing, recommending hunting for evidence of compromise and urging immediate patching.

Administrators are advised to update to NetScaler ADC and Gateway versions 14.1-8.50, 13.1-49.15, 13.0-92.19, and NetScaler ADC 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300, which address the vulnerability.

After the upgrade, they should remove any active or persistent sessions, to ensure the flaw is fully mitigated – Citrix has provided detailed information on how this can be done. Because the session cookies persist in memory, threat actors can retrieve them even after the update.

Related: CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack

Related: Operations at Major Australian Ports Significantly Disrupted by Cyberattack

Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.