Back to blog
CitrixCVE-2023-4966NetScalersession hijackingMFA bypassAPT

Citrix Bleed CVE-2023-4966: Session Token Theft on NetScaler ADC and Gateway

Citrix Bleed allows stealing valid session tokens from Citrix NetScaler, bypassing authentication and even MFA. Analysis of CVE-2023-4966 and how to protect your infrastructure.

April 23, 20263 min read

Citrix Bleed (CVE-2023-4966) is one of the most critical vulnerabilities of 2023. A memory leak in Citrix NetScaler ADC and NetScaler Gateway allows an unauthenticated attacker to retrieve valid session tokens, bypassing not only authentication but also MFA (multi-factor authentication). Dozens of APT groups and ransomware gangs have massively exploited it.

What is Citrix NetScaler?

Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are critical network appliances used by thousands of enterprises for:

  • VPN and secure remote access (NetScaler Gateway)
  • Load balancing and application proxying (NetScaler ADC)
  • SSO and authentication for enterprise applications

Their strategic position as network entry points makes them prime targets.

CVE-2023-4966: The Memory Leak

Mechanism

CVE-2023-4966 is a buffer over-read in NetScaler's HTTP request handler. By sending an HTTP request with an oversized Host header, the attacker triggers a read beyond buffer boundaries, returning memory data that includes active session tokens.

CVSS Score: 9.4 (Critical)
Published: October 10, 2023
Actively exploited before the patch (zero-day since August 2023 according to Mandiant)

What the Stolen Memory Contains

NetScaler session tokens include:

  • The authenticated user's identity
  • Access rights and group memberships
  • Session validity duration

With a valid token, the attacker connects as the user — without knowing their password, without going through MFA, without any trace in authentication logs.

Affected Versions

ProductAffected VersionsFixed Version
NetScaler ADC and Gateway 14.1< 14.1-8.5014.1-8.50+
NetScaler ADC and Gateway 13.1< 13.1-49.1513.1-49.15+
NetScaler ADC and Gateway 13.0< 13.0-92.1913.0-92.19+
NetScaler ADC 13.1-FIPS< 13.1-37.16413.1-37.164+
NetScaler ADC 12.1-FIPS< 12.1-55.30012.1-55.300+

Mass Exploitation by APT Groups

Mandiant confirmed that CVE-2023-4966 was being exploited as a zero-day since August 2023 — two months before public disclosure. Identified groups include:

  • UNC3944 / Scattered Spider: group behind the MGM Resorts and Caesars Entertainment attacks in September 2023
  • LockBit: major ransomware gang
  • ALPHV/BlackCat: another ransomware gang
  • Several unnamed state-sponsored APT groups

Typical Attack Scenario

  1. Scan the internet for exposed NetScaler appliances
  2. Exploit CVE-2023-4966 to retrieve session tokens
  3. Reuse stolen sessions to access the corporate VPN
  4. Pivot into the internal network
  5. Deploy ransomware or exfiltrate data

Detecting Exploitation

Key Symptom: Unexpected Active Sessions

# Via NetScaler CLI
show aaa session

# Look for sessions from unknown IPs or at unusual hours
# Stolen sessions appear as legitimate sessions

In the Logs

Look for VPN connections from unusual countries or IPs where sessions have no prior authentication attempt (direct token usage).

Citrix Detection Tool

Citrix published a detection tool on their support site. IOCs include HTTP requests with abnormally long Host headers in NetScaler logs.

Remediation

1. Patch Urgently

This is the only real solution. Immediately apply the fixed versions listed above.

2. Invalidate ALL Active Sessions After Patching

Critical: patching alone is insufficient if tokens have already been stolen. You must kill all active sessions:

# Via NetScaler CLI - kill all ICA connections
kill icaconnection -all

# Kill all AAA/VPN sessions
kill aaa session -all

# Or via the Citrix ADM interface

If you patch without killing sessions, attackers already holding valid tokens retain their access.

3. Enable Session Monitoring

After patching and invalidation, monitor new connections from unusual IPs.

4. If Compromised: Full Forensics

An attacker using a stolen token leaves few traces in auth logs. Investigation must cover internal resource access post-connection.

Citrix: A History of Critical Flaws

CVE-2023-4966 is part of a long list of critical Citrix vulnerabilities:

  • CVE-2019-19781 — Pre-auth RCE in NetScaler Gateway (CVSS 9.8), massively exploited in 2020
  • CVE-2022-27518 — Unauthenticated RCE in Citrix ADC (CVSS 9.8)
  • CVE-2023-3519 — Unauthenticated RCE in NetScaler (CVSS 9.8), exploited simultaneously with CVE-2023-4966

Internet-exposed Citrix appliances require continuous CVE monitoring.

Register your NetScaler version in your asset inventory on cveo.tech and receive an alert as soon as the next Citrix CVE is published.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.