Citrix NetScaler Zero-Day Exploited to Compromise Government Organizations

Two critical security vulnerabilities, namely CVE-2023-4966 and CVE-2023-4967, have been discovered in NetScaler ADC and NetScaler Gateway.

These vulnerabilities impact several versions of the products, and users are strongly advised to take swift action to secure their systems.

The following supported versions of NetScaler ADC and NetScaler Gateway are known to be vulnerable to these issues:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Please note that NetScaler ADC and NetScaler Gateway version 12.1 have reached their End-of-Life (EOL) status, making them particularly vulnerable.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Recent Attack Exploiting Zero-Day

Citrix announced this issue in a security bulletin on October 10, 2023. However, Mandiant discovered that some threat actors had already exploited this vulnerability in the wild since late August 2023.

This vulnerability allows threat actors to hijack authenticated sessions and bypass security measures like multifactor authentication. The hijacked sessions may remain active even after applying the patch for CVE-2023-4966. 

Moreover, some threat actors have stolen session data before patching and used it later for malicious purposes. The consequences of authenticated session hijacking are serious. 

A threat actor with unauthorized access can use it to steal more credentials, move across a network, and access more resources within the targeted environment.

Mandiant has reported these disturbing developments, observing exploitation in professional services, technology, and government organizations. 

Mandiant has also provided additional guidance for mitigating and reducing the risks associated with CVE-2023-4966, recommending that affected parties refer to their CVE-2023-4966 guidance document.

Citrix has stated that customers using Citrix-managed cloud services or Adaptive Authentication are unaffected by CVE-2023-4966, giving some relief to a subset of their user base.

The Impact

CVE-2023-4966 is a sensitive information disclosure vulnerability with a high CVSS score of 9.4. 

This vulnerability affects appliances configured as a Gateway, VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers.

CVE-2023-4967 is a denial of service vulnerability with a CVSS score of 8.2. 

It also affects appliances configured as a Gateway, VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers.

Mitigating Factors

There are no known mitigating factors, and immediate action is required.

Exploits of CVE-2023-4966 on unmitigated appliances have already been observed. 

Therefore, Cloud Software Group urges all NetScaler ADC and NetScaler Gateway customers to install the updated versions immediately. 

The recommended versions are:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Citrix’s Response

Citrix is actively notifying its customers and partners about this security issue by publishing a security bulletin. 

For technical assistance, Citrix users can contact Citrix Technical Support.

Staying Informed

To stay informed about security updates, Citrix strongly recommends that customers subscribe to receive alerts whenever a Citrix security bulletin is created or modified.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.