Article Details

Recently patched Citrix NetScaler bug exploited as zero-day since August. A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced. The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers. In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay. A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts. "Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023," says the cybersecurity company. "Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements" - Mandiant The company also warns that hijacked sessions persist even after installing the security update. Depending on the permissions of the hijacked account, the attackers may leverage the method to move laterally or to breach more accounts. Security researchers observed CVE-2023-4966 being exploited for access on infrastructure belonging to government organizations and technology companies. Fixing and mitigation Apart from applying the patch from Citrix, Mandiant published a document with additional remediation recommendations for NetScaler ADC/Gateway administrators with the following suggestions: Also, upgrading the appliances to the following firmware versions should be prioritized: This is the second zero-day flaw Citrix fixes in its products this year. A previous one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few of weeks later.