CVE-2023-4966 Detection: Critical Citrix NetScaler Vulnerability Actively Exploited In the Wild

Adding to the list of critical Citrix NetScaler zero-days, security researchers warn of a new dangerous vulnerability (CVE-2023-4966) continuously exploited in the wild despite a patch issued in October. Marked as an information-disclosure flaw, CVE-2023-4966 enables threat actors to hijack existing authenticated sessions and potentially result in a multifactor authentication (MFA) bypass. According to security experts, patching might be insufficient to remediate a security gap, while requiring all active session termination following the update installation. The vulnerability obtained the highest severity level and has been added to the KEV Catalog by CISA.

Detect CVE-2023-4966 Exploits

With the ongoing avalanche of attacks weaponizing CVE-2023-4966 and a complex approach required to address the issue, security practitioners need a reliable source of detection content to identify possible intrusions at the earliest stages. SOC Prime Team has developed a dedicated detection rule to identify possible CVE-2023-4966 exploitation attempts: 

Possible Citrix CVE-2023-4966 Exploitation Attempt (via webserver)

The rule is compatible with 13 security analytics solutions and mapped to MITRE ATT&CK framework, addressing Initial Access tactics with the Exploit Public-Facing Application (T1190) as a corresponding technique.

Explore the broader detection stack aimed at emerging CVEs detection by clicking the Explore Detections button. Security professionals can obtain in-depth cyber threat context accompanied by ATT&CK references and CTI links, as well as get actionable metadata tailored to their organization-specific needs for streamlined threat research.

Explore Detections

CVE-2023-4966 Analysis

Researchers recently identified a novel zero-day vulnerability tracked as CVE-2023-4966 and affecting Citrix’s NetScaler ADC and Gateway instances. Citrix has issued a cybersecurity advisory notifying its customers about exploitation attempts of CVE-2023-4966 that could potentially lead to the disclosure of sensitive information. To be weaponized by attackers, the Citrix instances should be set up either as a Gateway with specific functions (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. CVE-2023-4966 does not impact customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication.

CVE-2023-4966 has reached the critical CVSS score of 9.4 and has been actively exploited in the wild as a zero-day flaw, exposing overwhelming numbers of customers to the growing risks. 

Despite the release of patches for CVE-2023-4966 in the first decade of October, Citrix has added tweaks to the advisory to highlight that there have been observed instances of CVE-2023-4966 exploitation on appliances that were not protected or mitigated. 

Mandiant researchers have observed active exploitations of CVE-2023-4966 targeting professional services, the tech industry, and the public sector. The successful exploitation of the flaw could allow malicious actors to take control of established authenticated sessions, effectively evading multi-factor authentication and other robust authentication policies. Furthermore, researchers revealed the incidents of session hijacking where session data was stolen before applying the patch to be further exploited for offensive purposes.

Considering the available proof of ongoing exploitation attempts, CISA has added CVE-2023-4966 along with another denial of service flaw tracked as CVE-2023-4967 to the Known Exploited Vulnerabilities Catalog.

To mitigate the threat, Citrix recommends updating the potentially affected instances immediately by installing the suggested builds. The users of NetScaler ADC or NetScaler Gateway devices on SDX hardware should upgrade their VPX instances.

With the increasing numbers of zero-days leveraged by adversaries in the in-the-wild attacks, detection content for the proactive vulnerability exploitation use case is one of the top priorities to enhance the organization’s cyber resilience. Boost your detection engineering capabilities with Uncoder AI, the industry-first IDE for active threat-informed defense to create detections faster, avoid common syntax and logiс errors, enrich the code with tailored intelligence, and instantly translate it to 65 language formats.