Citrix has issued a warning to administrators, urging them to promptly secure all NetScaler ADC and Gateway appliances due to an ongoing threat exploiting the CVE-2023-4966 vulnerability.
This critical vulnerability, linked to sensitive information disclosure and rated at 9.4/10 in severity, was patched by Citrix two weeks ago. It poses a significant risk as it can be remotely exploited by unauthenticated attackers in relatively straightforward attacks that do not necessitate user interaction.
The flaw affects NetScaler appliances configured as a Gateway (comprising a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
Although no evidence of the vulnerability being exploited in the wild was found at the time of the patch release, Mandiant disclosed an ongoing exploitation where threat actors have been using CVE-2023-4966 as a zero-day vulnerability since late August 2023 to pilfer authentication sessions and compromise accounts.
This could enable the attackers to bypass multifactor authentication and other robust authentication requirements. Compromised sessions can persist even after patching, potentially allowing attackers to move laterally within the network or compromise other accounts.
In response to this, Citrix issued a warning, advising users of affected builds configured as NetScaler ADC gateways to install the recommended updates immediately, categorizing the vulnerability as critical.
They noted that they are unable to provide forensic analysis to determine if a system may have been compromised.
Note that NetScaler ADC and NetScaler Gateway devices not configured as gateways (including VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as AAA virtual servers (typical load balancing configurations) are not susceptible to CVE-2023-4966 attacks. This also includes products like NetScaler Application Delivery Management (ADM) and Citrix SD-WAN, as confirmed by Citrix.