Citrix Bleed (CVE-2023-4966)
Citrix Bleed lets attackers steal authenticated NetScaler ADC / Gateway sessions over the network — exploited at scale by ransomware operators in late 2023.
Definition
Citrix Bleed (CVE-2023-4966) is a buffer over-read vulnerability in Citrix NetScaler ADC and NetScaler Gateway. An HTTP request to a specific endpoint causes the appliance to return a chunk of process memory containing session tokens. An attacker who collects a valid token replays it against the appliance and inherits an authenticated session — including MFA. The bug was actively exploited by LockBit, Akira, and other ransomware operators in late 2023.
Mitigation
Patch to the fixed NetScaler firmware. Terminate all active sessions on the appliance after patching (the token theft is not detectable from session state alone).