This week, a critical zero-day vulnerability (CVE-2023-4966) found in Citrix NetScaler is being exploited by attackers. The vulnerability has a CVSS score of 9.4 and was patched last week but has existed since August 2023. However, the researchers from Mandiant have said that the patch does not completely remediate the bug.
CVE-2023-4966 allows attackers to take over authenticated sessions and potentially evade multifactor authentication (MFA), resulting in complete control over NetScaler environments, responsible for managing application delivery in businesses. These sessions can still exist even after applying the fix for CVE-2023-4966. Also, Mandiant has seen instances where session information was taken before the patch was applied and then exploited by an attacker.
Currently, exploitation has been observed within the technology, professional services, and government sectors. Citrix stated in their advisory that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication remain unaffected by CVE-2023-4966. The following versions of NetScaler ADC and Gateway appliances are impacted:
As a result of the initial patch being ineffective, Mandiant has provided steps for mitigating and reducing risks related to CVE-2023-4966. You can read their mitigation steps in their “Citrix NetScaler ADC/Gateway: CVE-2023-4966” document.
Per Citrix, Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-4966. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.