cbcvebase.
CVE-2023-4966
published 2023-10-10

CVE-2023-4966: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA…

PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-11-08
Exploited in the wild
EPSS
100.00%
100.0th percentile
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Affected

22 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adc
citrixcitrix_gateway
citrixnetscaler_adc
citrixnetscaler_adc>= 12.1-FIPS < 55.30055.300
citrixnetscaler_adc>= 12.1-NDcPP < 55.30055.300
citrixnetscaler_adc>= 13.0 < 92.1992.19
citrixnetscaler_adc>= 13.1 < 49.1549.15
citrixnetscaler_adc>= 13.1-FIPS < 37.16437.164
citrixnetscaler_adc>= 14.1 < 8.508.50
citrixnetscaler_application_delivery_controller>= 12.1 < 12.1-55.30012.1-55.300
citrixnetscaler_application_delivery_controller>= 13.0 < 13.0-92.1913.0-92.19
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-37.16413.1-37.164
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-49.1513.1-49.15
citrixnetscaler_application_delivery_controller>= 14.1 < 14.1-8.5014.1-8.50
citrixnetscaler_gateway
citrixnetscaler_gateway>= 13.0 < 92.1992.19
citrixnetscaler_gateway>= 13.0 < 13.0-92.1913.0-92.19
citrixnetscaler_gateway>= 13.1 < 49.1549.15
citrixnetscaler_gateway>= 13.1 < 13.1-49.1513.1-49.15
citrixnetscaler_gateway>= 14.1 < 8.508.50
citrixnetscaler_gateway>= 14.1 < 14.1-8.5014.1-8.50
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

commandkill aaa session -all
commandkill icaconnection -all
commandkill rdp connection -all
commandkill pcoipConnection -all
commandclear lb persistentSessions
  • Session tokens stolen pre-patch remain valid post-patch; organizations must invalidate all active and persistent sessions on NetScaler ADC/Gateway after patching to prevent continued unauthorized access.
  • Storm-0501 threat actor exploited CVE-2023-4966 for initial access; post-exploitation activity includes use of Cobalt Strike beacons with license_id '666', Impacket SecretsDump, and Rclone renamed to svhost.exe or scvhost.exe for data exfiltration.
  • CVE-2023-4966 is only exploitable on NetScaler ADC/Gateway devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server — scope detection and hunting to these configurations.
  • Mass automated exploitation of CVE-2023-4966 was observed at scale; approximately 20,000 Citrix devices had session tokens stolen via automated scanning — correlate NetScaler access logs for anomalous unauthenticated HTTP requests that precede authenticated sessions.
  • ·CVE-2023-4966 only affects customer-managed NetScaler ADC and Gateway appliances; Citrix-managed cloud services are NOT affected.
  • ·Exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; devices not in these configurations are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.4CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.