Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information.
Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions -
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC and NetScaler Gateway 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
However, for exploitation to occur, it requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.
While patches for the flaw were released on October 10, 2023, Citrix has now revised the advisory to note that "exploits of CVE-2023-4966 on unmitigated appliances have been observed."
Google-owned Mandiant, in its own alert published Tuesday, said it identified zero-day exploitation of the vulnerability in the wild beginning in late August 2023.
"Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multi-factor authentication or other strong authentication requirements," the threat intelligence firm said.
"These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed."
Mandiant also said it detected session hijacking where session data was stolen before the patch deployment, and subsequently used by an unspecified threat actor.
"The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted," it further added.
"A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment."
The threat actor behind the attacks has not been determined, but the campaign is said to have targeted professional services, technology, and government organizations.
In light of active abuse of the flaw and with Citrix bugs becoming a lightning rod for threat actors, it's imperative that users move quickly to update their instances to the latest version to mitigate potential threats.
"Organizations need to do more than just apply the patch – they should also terminate all active sessions," Mandiant CTO Charles Carmakal said. "Although this is not a remote code execution vulnerability, please prioritize the deployment of this patch given the active exploitation and vulnerability criticality."
