Companies Prompt Users of NetScaler ADC and Gateway Products to Apply Essential Updates
Critical NetScaler Vulnerability Persists Despite Patch, Demands Urgent Action
A critical vulnerability affecting NetScaler ADC and NetScaler Gateway systems, identified as CVE-2023-4966, remains a significant threat despite a patch released by Citrix on October 10. This vulnerability has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
The vulnerability, known as CitrixBleed 2 or CVE-2025-5777, arises from uninitialized variables causing memory disclosure during authentication requests. This can lead to data disclosure, including session tokens, facilitating session hijacking.
To mitigate the risks, it's crucial for organizations to take immediate action. First and foremost, upgrade to the latest fixed versions of NetScaler ADC and Gateway firmware. Earlier versions, particularly 12.1 and 13.0 (now End Of Life), are still vulnerable and actively targeted. After upgrading, forcibly terminate all active sessions, including ICA, PCoIP, RDP, AAA, and load balancing persistent sessions, to close possibly compromised sessions established before patching.
Regularly scanning your network for vulnerable NetScaler versions using asset discovery queries ( or ) is also recommended to identify and prioritize patching of affected instances.
Despite official statements minimizing active exploitation, multiple security researchers confirm active attacks in the wild with publicly available proof-of-concept exploits. Mandiant has reported cases where the patch for CVE-2023-4966 can be bypassed in situations where there was previous exploitation.
Citrix urged customers to upgrade to the latest versions of NetScaler ADC and NetScaler Gateway on Monday. However, it's important to note that authenticated sessions could still persist after the patch is applied, according to Mandiant. This suggests that the vulnerability may not have been fully addressed.
The vulnerability is most critical when NetScaler ADC is configured as a gateway or as an AAA virtual server. Managed cloud and Adaptive Authentication customers do not need to take additional action, according to Citrix.
Organizations should take extra precautions beyond patching to secure their NetScaler ADC and NetScaler Gateway systems, given the persistent threat of attacks. The urgency was due to incidents resembling session hijacking and reports of targeted attacks against this critical vulnerability.
At the time of the announcement, Citrix was not aware of any exploits of this vulnerability. However, the possibility of patch bypasses or incomplete remediations underscores the importance of these combined steps—upgrading firmware, killing persistent sessions, and continuous asset discovery—as the best current practice to defend against session hijacking and CVE-2023-4966 in NetScaler environments.
- Despite the patch for the NetScaler vulnerability (CVE-2023-4966), its persistent nature demands immediate cybersecurity measures, such as upgrading to the latest firmware, terminating all active sessions, and regularly scanning the network for vulnerable NetScaler versions.
- The ongoing threat of attacks against the NetScaler vulnerability (CVE-2023-4966) underscores the need for organizations to go beyond patching, employing additional cybersecurity measures and technology, such as forcibly terminating active sessions, conducting continuous asset discovery, and strengthening authentication processes.
