Citrix and Mandiant: Warning the Exploits of CVE-2023-4966

CVE-2023-4966 Exploits

Citrix cautions against the utilization of a recently discovered critical vulnerability in NetScaler ADC and Gateway devices that might lead to the disclosure of sensitive information. The flaw, labeled CVE-2023-4966 with a CVSS score of 9.4, was identified and rectified in October.

However, successful exploitation requires the device to be configured either as a gateway (VPN, ICA proxy, CVPN, RDP proxy) or as an Authorization And Accounting (AAA) virtual server.

Although patches for the vulnerability were released on October 10th, Citrix has since revised its recommendations, noting that CVE-2023-4966 exploits were found on unprotected devices.

Furthermore, Mandiant identified the exploitation of a zero-day vulnerability since late August. According to the company’s experts, successful exploitation could intercept active sessions, bypassing multi-factor authentication (MFA) or other stringent authentication prerequisites. Notably, these sessions may persist even after updates.

Intercepting an authenticated session might subsequently grant further access depending on permissions, enabling cybercriminals to gather additional credentials, perform lateral movement, and access other resources within the environment.

Mandiant also reported detecting session interceptions where session data was pilfered prior to the patch installation and subsequently utilized by an unidentified adversary. The threat actor behind the attacks remains undetermined, but the campaign reportedly targeted professional services, technology, and governmental organizations.

In light of the rampant misuse of the vulnerability, it’s imperative for users to swiftly update their instances to the latest version to mitigate potential threats. Mandiant researchers have advised organizations to not merely apply the patches but to terminate all active sessions. Experts also underscored the importance of properly prioritizing patches, given the active exploitation and the severity of the vulnerability.