Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 9+] LockBit Exploiting Citrix Bleed: Immediate Action Needed

Executive Summary

Experts are warning that nation-state and cybercrime groups are attacking unpatched NetScaler devices. The attackers exploit a vulnerability identified as CVE-2023-4966, and known as Citrix Bleed, which affects NetScaler ADC and Gateway products. Remarkably, it has a CVSS score of 9.4.

NetScaler has previously released a patch and urged users to address it. It is worth mentioning that the patch also includes CVE-2023-4967, a Denial of Service (DoS) vulnerability. This vulnerability has a CVSS score of 8.2.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Google Cloud’s Mandiant have identified active exploitation of this vulnerability before the official patch was released.

Unpatched NetScaler devices have become a target for various groups, including the LockBit ransomware group. They aim to gain remote access and extract session tokens. NetScaler ADC and Gateway devices are breached globally, resulting in the extraction of session tokens from numerous devices.

If your organisation has yet to implement these critical patches, now is the time!

The Citrix Bleed

Citrix Bleed allows attackers to steal valid session tokens, bypass multi-factor authentication, and gain complete access to vulnerable devices. Thus, it poses a significant threat.

Exploitations of Citrix Bleed trigger activities like network reconnaissance, credential theft, lateral movement, and even ransomware infections. Moreover, the exploits have led to breaches in large organisations.

This week, CISA released a joint advisory providing comprehensive technical details about the the exploits.

Surprisingly, CISA’s vulnerability warning program found nearly 300 organisations with exposed NetScaler devices. Boeing’s confirmation of an incident linked to LockBit affiliates exploiting CVE-2023-4966 underscores the gravity of the situation.This also highlights the need for collaboration and information sharing among potential victims.

Please refer to our recent article for more information about the Citrix Bleed.

Urgent Call for Action

Experts strongly recommend organisations to patch their NetScaler devices immediately. It’s paramount to terminate or invalidate all active sessions and meticulously review logs for signs of compromise.

Please see Citrix’s security bulletin for more information about the patch.

Additional Recommendations:

Experts also encourage organizations to scrutinize for any web shells or backdoors attackers left, regardless of their patching timeline. This is because exploits were available before the patch release. Moreover, NetScaler offers practical suggestions for investigating exploits, including a focus on monitoring tools for patterns of suspicious session use.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.