2 min

The CVE-2023-4966 vulnerability for Citrix NetScaler ADC and NetScaler Gateway is currently being massively exploited. Meanwhile, this cyber threat is known as “Citrix Bleed”. The exploits are taking place despite there being a patch released for it, several security specialists conclude.

In an Oct. 30 survey, ShadowServer identified just over 5,000 unpatched Citrix NetScaler ADC and Gateway servers accessible via the public Internet. Other researchers speak of as many as 20,000 unpatched servers.

GreyNoise researchers have identified about 64 individual IP addresses that attempted to further exploit the Citrix vulnerability at the time of writing.

Among the hackers trying to attack still-unpatched Citrix servers are at least two ransomware gangs, indicates security specialist Kevin Beaumont. One of these gangs distributes a Python script that attackers can use to automate an attack on Citrix servers.

Mandiant also notes exploits

Mandiant specialists also once again warn that the Citrix vulnerability is being actively exploited. The security specialist is reportedly currently tracking about four uncategorized hacker gangs abusing the exploit for many business sectors, including the legal, tech and government sectors. Affected regions include the Americas, Europe, the Middle East, Africa and Asia-Pacific. These hacker gangs deploy the tools csvde.exe, certutil.exe, local.exe and nbtscan.exe to carry out their attacks on affected Citrix servers.

Patch is available

Citrix recently released a patch for CVE-2023-4966 and advised customers to install it as soon as possible. The virtualization and cloud specialist has not yet responded to the security specialists’ recent findings.

Also read: Patches for Citrix NetScaler are insufficient, more action needed