On Oct. 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances.

Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor. 

The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.

To date, Mandiant has observed exploitation at professional services, technology, and government organizations. 

Based upon these observations, Mandiant is providing additional steps for remediating and reducing risks related to this vulnerability. Read our CVE-2023-4966 guidance document now.

Impacted Versions

The following versions of NetScaler ADC and Gateway appliances are impacted by the vulnerability:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300
  Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is also vulnerable.

Citrix has noted that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted by CVE-2023-4966.