CVE-2023-4966
published 2023-10-10CVE-2023-4966: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA…
PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-11-08
Exploited in the wild
EPSS
100.00%
100.0th percentile
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adc | — | — |
| citrix | citrix_gateway | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_adc | >= 12.1-FIPS < 55.300 | 55.300 |
| citrix | netscaler_adc | >= 12.1-NDcPP < 55.300 | 55.300 |
| citrix | netscaler_adc | >= 13.0 < 92.19 | 92.19 |
| citrix | netscaler_adc | >= 13.1 < 49.15 | 49.15 |
| citrix | netscaler_adc | >= 13.1-FIPS < 37.164 | 37.164 |
| citrix | netscaler_adc | >= 14.1 < 8.50 | 8.50 |
| citrix | netscaler_application_delivery_controller | >= 12.1 < 12.1-55.300 | 12.1-55.300 |
| citrix | netscaler_application_delivery_controller | >= 13.0 < 13.0-92.19 | 13.0-92.19 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-37.164 | 13.1-37.164 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-49.15 | 13.1-49.15 |
| citrix | netscaler_application_delivery_controller | >= 14.1 < 14.1-8.50 | 14.1-8.50 |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway | >= 13.0 < 92.19 | 92.19 |
| citrix | netscaler_gateway | >= 13.0 < 13.0-92.19 | 13.0-92.19 |
| citrix | netscaler_gateway | >= 13.1 < 49.15 | 49.15 |
| citrix | netscaler_gateway | >= 13.1 < 13.1-49.15 | 13.1-49.15 |
| citrix | netscaler_gateway | >= 14.1 < 8.50 | 8.50 |
| citrix | netscaler_gateway | >= 14.1 < 14.1-8.50 | 14.1-8.50 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Session tokens stolen pre-patch remain valid post-patch; organizations must invalidate all active and persistent sessions on NetScaler ADC/Gateway after patching to prevent continued unauthorized access. ↗
- →Storm-0501 threat actor exploited CVE-2023-4966 for initial access; post-exploitation activity includes use of Cobalt Strike beacons with license_id '666', Impacket SecretsDump, and Rclone renamed to svhost.exe or scvhost.exe for data exfiltration. ↗
- →CVE-2023-4966 is only exploitable on NetScaler ADC/Gateway devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server — scope detection and hunting to these configurations. ↗
- →Mass automated exploitation of CVE-2023-4966 was observed at scale; approximately 20,000 Citrix devices had session tokens stolen via automated scanning — correlate NetScaler access logs for anomalous unauthenticated HTTP requests that precede authenticated sessions. ↗
- ·CVE-2023-4966 only affects customer-managed NetScaler ADC and Gateway appliances; Citrix-managed cloud services are NOT affected. ↗
- ·Exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; devices not in these configurations are not vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.4CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2g42-2pwg-93cj: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
ghsa_unreviewed·2023-10-10
CVE-2023-4966 CWE-119 GHSA-2g42-2pwg-93cj: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
VulnCheck
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
vulncheck·2023·CVSS 9.4
CVE-2023-4966 [CRITICAL] CWE-119 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations and kill all active and persistent sessions per vendor instructions [https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/] OR discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-
CISA
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
cisa·2023-10-18·CVSS 7.5
CVE-2023-4966 [HIGH] CWE-119 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Vulnerability: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Affected: Citrix NetScaler ADC and NetScaler Gateway
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Required Action: Apply mitigations and kill all active and persistent sessions per vendor instructions [https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/] OR discontinue use of the product if mitigations are unavailable.
Notes: https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-nets
Citrix
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
vendor_citrix·2023-10-17·CVSS 7.5
CVE-2023-4966 [HIGH] CWE-119 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
Pre-requisites CWE CVE-2023-4966 Sensitive information disclosure Application must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-119 CVE-2023-4967 Denial of service Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-119
CVE References: CVE-2023-4966, CVE-2023-4967
Affected Products: Citrix ADC, Citrix Gateway, NetScaler ADC, NetScaler Gateway, XenServer
Severity: Critical
Suricata
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
suricata·2023-10-29·CVSS 9.4
CVE-2023-4966 [CRITICAL] ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)"; flow:established,to_server; flowbits:set,ET.CVE-2023-4966.LeakAttempt; http.uri; content:"/oauth/rp/.well-known/openid-configuration"; fast_pattern; http.host; bsize:>2000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:attempted-admin; sid:2048931; rev:2; metadata:affected_product Citrix, attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, si
Suricata
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
suricata·2023-10-29·CVSS 9.4
CVE-2023-4966 [CRITICAL] ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)"; flow:established,to_server; flowbits:set,ET.CVE-2023-4966.LeakAttempt; http.uri; content:"/oauth/idp/.well-known/openid-configuration"; fast_pattern; http.host; bsize:>20000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:attempted-admin; sid:2048930; rev:1; metadata:attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major,
Suricata
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)
suricata·2023-10-29·CVSS 9.4
CVE-2023-4966 [CRITICAL] ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)
ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-4966.LeakAttempt; http.stat_code; content:"200"; http.content_type; content:"application/json"; startswith; http.response_body; content:"|7b 22|issuer|22 3a 20 22|http"; startswith; fast_pattern; content:!"|22 2c 20 22|authorization_endpoint"; within:20000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:successful-admin; sid:2048932; rev:1; metadata:attack_target Web_Server, cr
Metasploit
Citrix ADC (NetScaler) Bleed Scanner
metasploit
Citrix ADC (NetScaler) Bleed Scanner
Citrix ADC (NetScaler) Bleed Scanner
This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found.
Nuclei
Citrix Bleed - Leaking Session Tokens
nuclei·CVSS 7.5
CVE-2023-4966 [HIGH] Citrix Bleed - Leaking Session Tokens
Citrix Bleed - Leaking Session Tokens
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
Template:
id: CVE-2023-4966
info:
name: Citrix Bleed - Leaking Session Tokens
author: DhiyaneshDK
severity: high
description: |
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
impact: |
Unauthenticated attackers can leak session tokens from memory, potentially hijacking authenticated sessions and accessing sensitive Gateway resources.
remediation: |
Apply Citrix security updates immediately. Affected versions include NetScaler ADC and Gateway 14.1 before
Nuclei
Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
nuclei·CVSS 7.5
CVE-2023-6549 [HIGH] Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker.
Template:
id: CVE-2023-6549
info:
name: Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
author: ice3man
severity: critical
description: |
The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected W
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Hackernews
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
blogs_hackernews·2026-03-28·CVSS 9.4
CVE-2026-3055 [CRITICAL] Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr .
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
"We are now observing aut
Bleepingcomputer
Citrix urges admins to patch NetScaler flaws as soon as possible
blogs_bleepingcomputer·2026-03-25·CVSS 9.3
CVE-2026-3055 [CRITICAL] Citrix urges admins to patch NetScaler flaws as soon as possible
## Citrix urges admins to patch NetScaler flaws as soon as possible
## Sergiu Gatlan
Citrix has patched two vulnerabilities affecting NetScaler ADC networking appliances and NetScaler Gateway secure remote access solutions, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day attacks in recent years.
The critical security bug (tracked as CVE-2026-3055 ) stems from insufficient input validation, which can lead to a memory overread on Citrix ADC or Citrix Gateway appliances configured as a SAML identity provider (IDP), potentially enabling remote attackers without privileges to steal sensitive information such as session tokens.
"Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant up
Hackernews
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
blogs_hackernews·2026-03-24·CVSS 9.3
[CRITICAL] Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
The vulnerabilities are listed below -
CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user session mixup
Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote
Rapid7
CVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read
blogs_rapid7·2026-03-23·CVSS 9.4
CVE-2026-3055 [CRITICAL] CVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read
## Overview
On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055 , which is classified as an out-of-bounds read and holds a CVSS score of 9.3 , allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory.
The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable , whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory , organizations can determine if they have an appliance configured as a SAML IDP Profi
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Tenable
CVE-2025-7775 Citrix RCE Zero-day
blogs_tenable·2025-08-26·CVSS 9.2
[CRITICAL] CVE-2025-7775 Citrix RCE Zero-day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
blogs_bleepingcomputer·2025-07-11·CVSS 9.4
CVE-2025-5777 [CRITICAL] CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
## CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.
CVE-2025-5777 is a critical memory safety vulnerability (out-of-bounds memory read) that gives an una
Bleepingcomputer
Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
blogs_bleepingcomputer·2025-07-07·CVSS 9.4
CVE-2025-5777 [CRITICAL] Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
## Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
## Lawrence Abrams
Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens.
The CitrixBleed 2 vulnerability, which affects Citrix NetScaler ADC and Gateway devices, allows attackers to retrieve memory contents simply by sending malformed POST requests during login attempts.
This critical flaw is named CitrixBleed2 as it closely resembles the original CitrixBleed (CVE-2023-4966) bug from 2023, which was exploited by ransomware gangs and in attacks on governments to hijack user sessions and breach networks.
In technical analyses
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5777 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
# What are the vulnerabilities?
### CVE-2025-5777: Memory Overread via Crafted
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5349 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
## What are the vulnerabilities?
## CVE-2025-5349: Improper Access Control on
Tenable
CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
blogs_tenable·2025-06-27·CVSS 9.3
[CRITICAL] CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
blogs_bleepingcomputer·2025-06-25·CVSS 9.4
CVE-2025-5777 [CRITICAL] New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
## New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
## Bill Toulas
A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed "CitrixBleed 2," after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices.
Last week, Citrix published a security bulletin warning about flaws tracked as CVE-2025-5777 and CVE-2025-5349 that impact NetScaler ADC and Gateway versions before 14.1-43.56, releases before 13.1-58.32, and also 13.1-37.235-FIPS/NDcPP and 2.1-55.328-FIPS.
The CVE-2025-5777 is a critical flaw that is caused by out-of-bounds memory read, allowing unauthenticated attacks to access portions of memory that they should not have access to.
This flaw impacts NetScaler devices
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Qualys
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
#### Table of Contents
- From Risk Leader to EDR Powerhouse: How Qualys Evolved
- Qualys Performance: Leading the Industry
- Low False Positives: Essential for Effective EDR
- Why MITRE ATT&CK Evaluation Matters
- Qualys Endpoint Detection & Response: A Top Solution
- More Than Detection: A Comprehensive Risk Management Approach
- Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
- Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The
Qualys
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
## Table of Contents
From Risk Leader to EDR Powerhouse: How Qualys Evolved
Qualys Performance: Leading the Industry
Low False Positives: Essential for Effective EDR
Why MITRE ATT&CK Evaluation Matters
Qualys Endpoint Detection & Response: A Top Solution
More Than Detection: A Comprehensive Risk Management Approach
Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The 2024 evalua
Tenable
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
blogs_tenable·2024-11-15
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
blogs_greynoiseio·2024-10-17
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Embargo ransomware escalates attacks to cloud environments
blogs_bleepingcomputer·2024-09-27·CVSS 9.8
[CRITICAL] Embargo ransomware escalates attacks to cloud environments
## Embargo ransomware escalates attacks to cloud environments
## Bill Toulas
## Storm-0501 attack flow
The attacker gains access to cloud environments by exploiting weak credentials and taking advantage of privileged accounts, with the goal of stealing data and executing a ransomware payload.
Microsoft explains that the Storm-0501 obtains initial access to the network with stolen or purchased credentials, or by exploiting known vulnerabilities.
Some of the flaws used in recent attacks are CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016).
The adversary moves laterally using frameworks like Impacket and Cobalt Strike, steals data through a custom Rclone binary renamed to mimic a Windows tool, and disab
Microsoft
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
blogs_microsoft·2024-09-26·CVSS 9.8
CVE-2022-47966 [CRITICAL] Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Research
September 26, 2024
Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.
After gaining initial a
Bleepingcomputer
Citrix warns admins to manually mitigate PuTTY SSH client bug
blogs_bleepingcomputer·2024-05-09·CVSS 5.9
CVE-2024-31497 [MEDIUM] Citrix warns admins to manually mitigate PuTTY SSH client bug
## Citrix warns admins to manually mitigate PuTTY SSH client bug
## Sergiu Gatlan
Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin's private SSH key.
XenCenter helps manage Citrix Hypervisor environments from a Windows desktop, including deploying and monitoring virtual machines.
The security flaw ( tracked as CVE-2024-31497 ) impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the "Open SSH Console" button.
Citrix says that the PuTTY third-party component has been removed starting with XenCenter 8.2.6, and any versions after 8.2.7 will no longer include it.
"An issue has been
Bleepingcomputer
Ransomware payments drop to record low of 28% in Q1 2024
blogs_bleepingcomputer·2024-04-21·CVSS 5.0
[MEDIUM] Ransomware payments drop to record low of 28% in Q1 2024
## Ransomware payments drop to record low of 28% in Q1 2024
## Bill Toulas
Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show companies are increasingly refusing to pay extortion demands, leading to a record low of 28% of companies paying ransom in the first quarter of 2024.
This figure was 29% in Q4 2023 , and Coveware's stats show that diminishing payments have remained steady since early 2019.
This decrease is due to organizations implementing more advanced protective measures, mounting legal pressure not to meet the crooks' financial demands, and cybercriminals repeatedly breaching promises not to publish or resale stolen data if a ransom is paid.
However, it is essential to note that despite the drop in the payment rate, the amount
Unit42
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
blogs_unit42·2024-02-05
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
## Executive Summary
The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups.
What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits for these vulnerabilities drove spikes in ransomware infections by groups like CL0P, LockBit and ALPHV (BlackCat) before defenders could update the vulnerable software.
Leak site data reveals at least 25 new ransomware groups emerged in 2023, indicating the continued attraction of ransomware as a profitable criminal activity. Despite the appearance of new groups such as Darkrace, CryptNet and U-Bomb,
Unit42
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
blogs_unit42·2024-02-05
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
Threat Research Center
Threat Research
Ransomware
## Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
Doel Santos
Published: February 5, 2024
Cybercrime
Ransomware
Threat Research
Trend Reports
ALPHV
Ambitious Scorpius
Blackcat
Buzzing Scorpius
Hive
Ignoble Scorpius
Leak site
Ragnar Locker
Ransomed
Ransomed.Vc
Royal Ransomware
Salty Scorpius
Trigona
Vice Society
## Executive Summary
The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups.
What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits fo
Talos
IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
blogs_talos·2024-01-24
IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
## IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
## First time ransomware was the top threat in 2023, according to Q4 2023 Talos Incident Response report
Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Cisco Talos Incident Response (Talos IR), notably a 17 percent increase from the previous quarter .
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
As reflected in Talos IR’s quarterly report for the third quarter of 2024, the team responded to many incidents with miscellaneous post-compromise activity, though t
Talos
IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
blogs_talos·2024-01-24
IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
#### First time ransomware was the top threat in 2023, according to Q4 2023 Talos Incident Response report
Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Cisco Talos Incident Response (Talos IR), notably a 17 percent increase from the previous quarter.
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
Talos Incident Response Quarterly Report one-pagerA brief overview of the threats, actors and tactics that Talos IR saw in the wild in Q4 2023.011924 IR Q423.pdf179 KBdownload-circle
As reflected in Talos IR’s quarterly report for the third quarter of 2024, the team responded to many incidents with miscellan
Bleepingcomputer
Citrix warns of new Netscaler zero-days exploited in attacks
blogs_bleepingcomputer·2024-01-16·CVSS 5.5
CVE-2023-6548 [MEDIUM] Citrix warns of new Netscaler zero-days exploited in attacks
## Citrix warns of new Netscaler zero-days exploited in attacks
## Sergiu Gatlan
Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities.
The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively.
However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access.
Also, the appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to Do
Tenable
CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway
blogs_tenable·2024-01-16·CVSS 5.5
[MEDIUM] CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
25th December – Threat Intelligence Report
blogs_checkpoint·2023-12-25·CVSS 7.5
CVE-2023-4966 [HIGH] 25th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Australia’s largest non-profit healthcare provider, St. Vincent’s Health Australia, experienced a cyberattack resulting in data theft from its networks. Vincent’s operates public and private hospitals, as well as elderly care facilities across New South Wales, Victoria, and Queensland, employing over 20,000 staff.
Xfin
Bleepingcomputer
Xfinity discloses data breach affecting over 35 million people
blogs_bleepingcomputer·2023-12-18·CVSS 9.4
CVE-2023-4966 [CRITICAL] Xfinity discloses data breach affecting over 35 million people
## Xfinity discloses data breach affecting over 35 million people
## Sergiu Gatlan
Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.
On October 25, roughly two weeks after Citrix released security updates to address a critical vulnerability now known as Citrix Bleed and tracked as CVE-2023-4966, the telecommunications company found evidence of malicious activity on its network between October 16 and October 19.
Cybersecurity company Mandiant says the Citrix flaw had been actively exploited as a zero-day since at least late August 2023.
Following an investigation into the impact of the incident, Xfinity discovered on November 16 that th
Tenable
CVE-2023-4966 (CitrixBleed): Invalidate Active or Persistent Sessions To Prevent Further Compromise
blogs_tenable·2023-12-06·CVSS 9.4
[CRITICAL] CVE-2023-4966 (CitrixBleed): Invalidate Active or Persistent Sessions To Prevent Further Compromise
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
4th December – Threat Intelligence Report
blogs_checkpoint·2023-12-04·CVSS 7.5
CVE-2023-4966 [HIGH] 4th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research provides highlights about Cyber Av3ngers group activity, which has taken responsibility on defacing workstations at Pennsylvania’s Aliquippa municipal water authority. Following the attack, CISA has published an advisory about this hacktivists group which is affiliated to Iranian Revolutionary Guard C
Bleepingcomputer
US Health Dept urges hospitals to patch critical Citrix Bleed bug
blogs_bleepingcomputer·2023-12-02·CVSS 9.4
[CRITICAL] US Health Dept urges hospitals to patch critical Citrix Bleed bug
## US Health Dept urges hospitals to patch critical Citrix Bleed bug
## Sergiu Gatlan
"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability," HC3 warned .
"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."
Before this, Citrix issued two warnings asking admins to immediately patch their appliances. It also reminded admins to kill all active and persistent sessions to prevent attackers from stealing authentication tokens even after installing the security updates
Bleepingcomputer
Citrix warns admins to kill NetScaler user sessions to block hackers
blogs_bleepingcomputer·2023-11-21·CVSS 9.4
CVE-2023-4966 [CRITICAL] Citrix warns admins to kill NetScaler user sessions to block hackers
## Citrix warns admins to kill NetScaler user sessions to block hackers
## Sergiu Gatlan
Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 'Citrix Bleed' vulnerability to secure vulnerable devices against attacks.
Besides applying the necessary security updates, they're also advised to wipe all previous user sessions and terminate all active ones.
This is a crucial step, seeing that attackers behind ongoing Citrix Bleed exploitation have been stealing authentication tokens, allowing them to access compromised devices even after they have been patched.
Citrix patched the flaw in early October, but Mandiant revealed that it has been under active exploitation as a zero-day since at least late August 20
Tenable
Frequently Asked Questions for CitrixBleed (CVE-2023-4966)
blogs_tenable·2023-11-20·CVSS 9.4
[CRITICAL] Frequently Asked Questions for CitrixBleed (CVE-2023-4966)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
blogs_bleepingcomputer·2023-11-17·CVSS 9.4
CVE-2023-4966 [CRITICAL] The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
## The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
## Lawrence Abrams
Ransomware gangs target exposed Citrix Netscaler devices using a publicly available exploit to breach large organizations, steal data, and encrypt files.
The threat actors exploit the Citrix Bleed vulnerability (CVE-2023-4966), which was disclosed last month and continues to be abused in attacks.
Security researcher Kevin Beaumont, who has been tracking the attacks, has found that many recent victims also utilized vulnerable Citrix Netscaler devices at the time of the attack , allowing initial access to the corporate network.
Some companies that recently suffered a cyberattack and utilized vulnerable Citrix Netscaler devices include Toyota Financial Services , Industrial and Commercial Bank of
Bleepingcomputer
Toyota confirms breach after Medusa ransomware threatens to leak data
blogs_bleepingcomputer·2023-11-16
Toyota confirms breach after Medusa ransomware threatens to leak data
## Toyota confirms breach after Medusa ransomware threatens to leak data
## Bill Toulas
Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.
Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.
Earlier today, the Medusa ransomware gang listed TFS to its data leak site on the dark web, demanding a payment of $8,000,000 to delete data allegedly stolen from the Japanese company.
The threat actors gave Toyota 10 days to respond, with the option to extend the deadline for $10,000 per day.
While Toyota Finance did not
Bleepingcomputer
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
blogs_bleepingcomputer·2023-11-14·CVSS 9.4
CVE-2023-4966 [CRITICAL] LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
## LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
## Bill Toulas
The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.
Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S.
## High-profile Lockbit attacks
Threat researcher Kevin Beaumont has been tracking attacks against various companies, including the Industrial and Commercial Bank of China ( ICBC ), DP World , Allen & Overy, and Boeing , and found they had something in common.
These are exposed Citrix servers [ 1 , 2 ] vulnerable to the Citrix Bleed f
Bleepingcomputer
LockBit ransomware leaks gigabytes of Boeing data
blogs_bleepingcomputer·2023-11-12·CVSS 9.4
[CRITICAL] LockBit ransomware leaks gigabytes of Boeing data
## LockBit ransomware leaks gigabytes of Boeing data
## Ionut Ilascu
The LockBit ransomware gang published data stolen from Boeing, one of the largest aerospace companies that services commercial airplanes and defense systems.
Before the leak, LockBit hackers said that Boeing ignored warnings that data would become publicly available and threatened to publish a sample of about 4GB of the most recent files.
## Backup data published
LockBit ransomware has leaked more than 43GB of files from Boeing after the company refused to pay a ransom.
Most of the data listed on the hacker group’s leak site are backups for various systems, the most recent of them with an October 22 timestamp.
The ransomware actor posted Boeing on their site on October 27 and gave the company a November 2nd deadlin
Talos
You’d be surprised to know what devices are still using Windows CE
blogs_talos·2023-11-02
You’d be surprised to know what devices are still using Windows CE
## You’d be surprised to know what devices are still using Windows CE
Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week.
This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.
In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT .
However, Microsoft says it will continue license sales for Windows Embedded Compact 2
Talos
You’d be surprised to know what devices are still using Windows CE
blogs_talos·2023-11-02
You’d be surprised to know what devices are still using Windows CE
Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week.
This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.
In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT.
However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028)
Wiz
Crying Out Cloud - November Newsletter | Wiz
blogs_wiz·2023-11-01·CVSS 9.8
CVE-2023-42115 [CRITICAL] Crying Out Cloud - November Newsletter | Wiz
The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.
Here are our top picks of cloud security highlights!
## 🐞 High Profile Vulnerabilities
## Critical and high severity 0day vulnerabilities in Exim
Multiple vulnerabilities were disclosed in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with a specific non-default configuration. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer.
According to Wiz data, although Exim is very prevalen
Bleepingcomputer
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide
blogs_bleepingcomputer·2023-11-01·CVSS 7.5
CVE-2023-4966 [HIGH] Hackers use Citrix Bleed flaw in attacks on govt networks worldwide
## Hackers use Citrix Bleed flaw in attacks on govt networks worldwide
## Bill Toulas
Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region.
Researchers from Mandiant report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023.
The security company has seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy.
## Citrix Bleed
The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity
Unit42
Threat Brief: Citrix Bleed CVE-2023-4966
blogs_unit42·2023-11-01·CVSS 9.4
CVE-2023-4966 [CRITICAL] Threat Brief: Citrix Bleed CVE-2023-4966
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Aug. 14, 2025. Please refer to the Citrix website for the latest information.
On Oct. 10, 2023, Citrix published a patch for their Netscaler ADC and Netscaler Gateway products. One particular vulnerability that this patch is meant to mitigate has come to be known as Citrix Bleed (CVE-2023-4966).
This nickname was given because the vulnerability can leak sensitive information from the device’s memory, which can include session tokens. Attackers can then use these credentials to gain a foothold into systems via session hijacking. At the time of the patch, Citrix was unaware of ongoing attacks using this vulnerability but has since stated that they have observed threat actors using it.
The Unit 42 Incide
Unit42
Threat Brief: Citrix Bleed CVE-2023-4966
blogs_unit42·2023-11-01·CVSS 9.4
CVE-2023-4966 [CRITICAL] Threat Brief: Citrix Bleed CVE-2023-4966
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Citrix Bleed CVE-2023-4966
Unit 42
Published: November 1, 2023
High Profile Threats
Vulnerabilities
Citrix
Citrix Netscaler
CVE-2023-4966
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Aug. 14, 2025. Please refer to the Citrix website for the latest information.
On Oct. 10, 2023, Citrix published a patch for their Netscaler ADC and Netscaler Gateway products. One particular vulnerability that this patch is meant to mitigate has come to be known as Citrix Bleed ( CVE-2023-4966 ).
This nickname was given because the vulnerability can leak sensitive information from the device’s memory, which can include session tokens. Attackers can then use these credentials
Bleepingcomputer
Citrix Bleed exploit lets hackers hijack NetScaler accounts
blogs_bleepingcomputer·2023-10-25·CVSS 9.4
CVE-2023-4966 [CRITICAL] Citrix Bleed exploit lets hackers hijack NetScaler accounts
## Citrix Bleed exploit lets hackers hijack NetScaler accounts
## Bill Toulas
A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.
On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023.
This Monday, Citrix issued a subsequent warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw immediately, as the rate of exploitation has started to pick up.
Today, re
Checkpoint
23rd October – Threat Intelligence Report
blogs_checkpoint·2023-10-23
CVE-2023-22515 23rd October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Attackers have gained access to parts of the network of the cloud identity authentication giant Okta. The hackers managed to gain access to the firm’s support unit for at least two weeks and have attempted to use tokens copied from support tickets to access the firm’s customers’ networks. Reportedly, the firm only became
Bleepingcomputer
Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately
blogs_bleepingcomputer·2023-10-23·CVSS 9.4
CVE-2023-4966 [CRITICAL] Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately
## Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately
## Sergiu Gatlan
Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.
The company patched this critical sensitive information disclosure flaw (tracked as CVE-2023-4966 ) two weeks ago, assigning it a 9.4/10 severity rating as it's remotely exploitable by unauthenticated attackers in low-complexity attacks that don't require user interaction.
NetScaler appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to attacks.
While the company had no evidence the vulnerability was being exploited in the wild when the fix was released, ongoing
Tenable
CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
blogs_tenable·2023-10-18·CVSS 9.4
[CRITICAL] CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Recently patched Citrix NetScaler bug exploited as zero-day since August
blogs_bleepingcomputer·2023-10-18·CVSS 9.4
CVE-2023-4966 [CRITICAL] Recently patched Citrix NetScaler bug exploited as zero-day since August
## Recently patched Citrix NetScaler bug exploited as zero-day since August
## Bill Toulas
A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.
The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.
In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.
A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and
Bleepingcomputer
New critical Citrix NetScaler flaw exposes 'sensitive' data
blogs_bleepingcomputer·2023-10-10·CVSS 9.4
CVE-2023-4966 [CRITICAL] New critical Citrix NetScaler flaw exposes 'sensitive' data
## New critical Citrix NetScaler flaw exposes 'sensitive' data
## Bill Toulas
Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances.
The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity.
However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks.
While the flaw's exploitation can lead to "sensitive information disclosure," the vendor has not provided any details about what information is exposed.
A second vulnerability disclosed
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
# IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor, the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the adv
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm
blogs_greynoiseio·CVSS 9.4
[CRITICAL] CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
Storm-0501 (Storm-0501)
threat_intel·CVSS 9.8
[CRITICAL] Storm-0501 (Storm-0501)
# Threat Actor Profile: Storm-0501
ATT&CK ID: G1053
Also known as: Storm-0501
## Overview
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.(Citation: Avertium Storm-0501 Sabbath Ransomware Arcane January 2022)(Citation: Microsoft Storm-501 Sabbath Ransomware Embargo September 2024)(Citation: Microsoft Storm-0501 Embargo Ransomware August 2025)(Citation: Google Mandiant Storm-0501 Sabbath Ransomware November 2021)
## Techniques (TTPs)
### Resource Development
- T1587.003 Digita
Greynoiseio
NoiseLetter
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
CVE-2023-4966 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 7.5
CVE-2023-4966 [HIGH] CVE-2023-4966 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2023-4966 Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is CVE-2023-4966 vulnerability?
The CVE-2023-4966 vulnerability, commonly referred to as “Citrix Bleed,” is an information disclosure vulnerability found in Citrix Netscaler ADC and Gateway (CVE-2023-4966). It allows unauthenticated attackers to leak sensitive memory contents. Classified as medium to high risk depending on implementation, it has severe implications, particularly in systems exposing Citrix appliances directly to the internet.
## When was it discovered?
CVE-2023-4966 was disclosed publicly in October 2023 by Citrix as part of a regular advisory cycle. Rapid7 published details on the exploit shortly after, highlighting its exploitation potential. Initial discovery credits go to ind
Greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
blogs_greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
## IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor , the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the a
Greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
blogs_greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
HackerOne
Out-Of-Bounds Memory Read on ███
hackerone·2024-06-18
Out-Of-Bounds Memory Read on ███
Out-Of-Bounds Memory Read on ███
Vulnerability Identifier: OOB Memory Read (CVE-ID Pending)
Affected System: Netscaler ADC and Gateway deployed at https://███████/nf/auth/doAuthentication.do
Overview:
An out-of-bounds (OOB) memory read vulnerability has been identified in Netscaler ADC (Application Delivery Controller) and Gateway, which are network appliances used for load balancing, security, and traffic management. This vulnerability affects the instance deployed at https://███/nf/auth/doAuthentication.do. Exploitation of this vulnerability could potentially lead to unauthorized access to sensitive information, service disruption, or further exploitation of the affected system.
Vulnerability Details:
The OOB memory read vulnerability arises due to improper input validation or bounda
arXiv
Efficacy of EPSS in High Severity CVEs found in KEV
arxiv_fulltext·2024-11-04
Efficacy of EPSS in High Severity CVEs found in KEV
empty
empty
24pt
10pt plus 1.0pt minus 2.0pt
## Abstract
The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv , assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies ar
http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.htmlhttps://support.citrix.com/article/CTX579459http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.htmlhttps://support.citrix.com/article/CTX579459https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4966
2023-10-10
Published
2023-10-18
Added to CISA KEV
Exploited in the wild