Home / Threat Intelligence bulletins / Citrix NetScaler flaw subjected to active exploitation

Target Industry

Organisations within the government, professional services, and technology industry sectors.


Intelligence indicates that a recently patched critical zero-day vulnerability within Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway has been exploited as a zero-day since August 2023. Exploitation of the vulnerability, tracked as CVE-2023-4966 (CVSSv3.1 score: 9.4), does not require user authentication and will almost certainly result in the release of sensitive data from on-premises appliances that are configured as a Gateway or an AAA virtual server.

On 19th October 2023, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2023-4966 to its Known Exploited Vulnerabilities Catalog.


Successful exploitation of CVE-2023-4966 would almost certainly allow a threat actor to hijack existing authenticated sessions and bypass secure authentication methods.

Vulnerability Detection

A security patch has been released by Citrix with regards to the disclosed vulnerability. As such, previous product versions remain vulnerable to potential exploitation.

Affected Products

Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected products apply the security patch released by Citrix as soon as possible.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Citrix occupies a significant portion of the virtual application and desktop market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

Intelligence indicates that vulnerabilities related to Citrix products for which patches exist have previously been subjected to malicious cyber operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer

Further Information

Citrix Advisory

Mandiant Report

An Intelligence Terminology Yardstick to showing the likelihood of events