Citrix Netscaler CVE-2023-4966 actively exploited
Take action: As we have said the first time when the vulnerability was reported: You can't ignore this patch because by it's nature Netscaler is exposed to the internet (and hackers). And yet there were people who ignored this advisory and are being hacked. Patch. NOW.
Learn More
Citrix NetScaler ADC and NetScaler Gateway vulnerability tracked as CVE-2023-4966, has been actively exploited by hackers since August. The exploit allows malicious actors to bypass multifactor authentication (MFA) through session hijacking, potentially granting them access to sensitive information.
The vulnerability, enables attackers to hijack authenticated sessions, effectively sidestepping MFA and other strong authentication measures. This type of identity-based attack has been on the rise and has proven successful in recent incidents, such as attacks on Las Vegas casinos.
What's particularly concerning is that even after applying the patch to mitigate CVE-2023-4966, existing authenticated sessions may persist, and threat actors could use stolen session data to access resources until these sessions are terminated. This could lead to the compromise of credentials and unauthorized access to various resources within an organization's environment.
While the specific threat actor behind these attacks remains unidentified, researchers suspect a focus on cyber espionage and anticipates that other threat actors with financial motivations may also exploit this vulnerability in the future. Mandiant emphasizes the importance of organizations not only applying the patch but also terminating all active sessions to mitigate potential risks.
Citrix initially released a patch on October 10, 2023, but's findings indicate that exploitation has continued despite this. The affected versions of NetScaler ADC and NetScaler Gateway include 14.1, 13.1, 13.0, and 12.1 (which is considered end-of-life). Exploitation requires the affected device to be configured as a Gateway or an authorization and accounting (AAA) virtual server.
Given the active abuse of this vulnerability and the history of Citrix vulnerabilities attracting threat actors, organizations are strongly advised to update their instances to the latest version promptly to mitigate potential risks associated with CVE-2023-4966.
