Citrix Bleed (CVE-2023-4966)
What is Citrix Bleed (CVE-2023-4966)?
Citrix Bleed (CVE-2023-4966)A memory disclosure flaw in Citrix NetScaler ADC and Gateway that leaks session tokens, enabling attackers to hijack authenticated sessions without credentials or MFA.
Citrix Bleed, tracked as CVE-2023-4966, is an information-disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway disclosed in October 2023. By sending a crafted HTTP request to the appliance, an unauthenticated attacker can read uninitialized memory and extract valid session tokens, including those issued after MFA. Replaying a stolen token gives the attacker the same access as the legitimate user, bypassing strong authentication. The flaw was mass-exploited by ransomware groups including LockBit, hitting Boeing, the Industrial and Commercial Bank of China and Toyota Financial Services. Fixing requires patching to 13.1-49.15 / 14.1-8.50 or later and invalidating all active sessions.
● Examples
- 01
Threat actors steal session tokens from an exposed NetScaler Gateway and log in as VPN users bypassing MFA.
- 02
After patching, an organization terminates all active ICA and PCoIP sessions to evict any stolen tokens.
● Frequently asked questions
What is Citrix Bleed (CVE-2023-4966)?
A memory disclosure flaw in Citrix NetScaler ADC and Gateway that leaks session tokens, enabling attackers to hijack authenticated sessions without credentials or MFA. It belongs to the Vulnerabilities category of cybersecurity.
What does Citrix Bleed (CVE-2023-4966) mean?
A memory disclosure flaw in Citrix NetScaler ADC and Gateway that leaks session tokens, enabling attackers to hijack authenticated sessions without credentials or MFA.
How does Citrix Bleed (CVE-2023-4966) work?
Citrix Bleed, tracked as CVE-2023-4966, is an information-disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway disclosed in October 2023. By sending a crafted HTTP request to the appliance, an unauthenticated attacker can read uninitialized memory and extract valid session tokens, including those issued after MFA. Replaying a stolen token gives the attacker the same access as the legitimate user, bypassing strong authentication. The flaw was mass-exploited by ransomware groups including LockBit, hitting Boeing, the Industrial and Commercial Bank of China and Toyota Financial Services. Fixing requires patching to 13.1-49.15 / 14.1-8.50 or later and invalidating all active sessions.
How do you defend against Citrix Bleed (CVE-2023-4966)?
Defences for Citrix Bleed (CVE-2023-4966) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Citrix Bleed (CVE-2023-4966)?
Common alternative names include: CVE-2023-4966, NetScaler session leak.
● Related terms
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.