Skip to main content
close search
site logo

Citrix Netscaler patch for critical CVE bypassed by malicious hackers

Citrix issued the patch on Oct. 10 for critical vulnerabilities in Netscaler ADC and Netscaler Gateway, but Mandiant is urging users to terminate all sessions.

Published Oct. 18, 2023 Updated Oct. 19, 2023
David Jones's headshot
Reporter
Exterior of Citrix office complex.
A sign is posted on the exterior of a Citrix office complex on January 31, 2022 in Santa Clara, California. Justin Sullivan/Getty Images via Getty Images

Researchers from Mandiant issued an urgent warning Tuesday that the patch for a critical vulnerability in Citrix Netscaler failed to prevent certain attacks and malicious actors are continuing to exploit the flaw. 

Citrix issued a patch on Oct. 10 to address the vulnerability, listed as CVE-2023-4966, in Netscaler ADC and Netscaler Gateway, which was under active exploitation since at least August.

"When the vulnerability was made public with a patch Oct. 10, there was no indication from our customers or industry partners that an exploit existed in the wild. The vulnerability was identified internally," Citrix officials said via email.

Mandiant, however, found that organizations that have patched their systems after the release of the security update were still being hacked. Mandiant CTO Charles Carmakal is now urging organizations to terminate all active sessions. 

“These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed,” Carmakal said on LinkedIn. “Therefore even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.”

Carmakal told Cybersecurity Dive that Mandiant believes the patch otherwise works, except it requires the “additional step of terminating sessions needs to be performed out of caution in case a threat actor previously exploited the vulnerability and obtained session information from the device."

Mandiant officials said successful exploitation of the vulnerability can allow hackers to hijack existing authenticated sessions and bypass multifactor authentication. Mandiant observed cases where session data was stolen prior patch deployment and later used by hackers

Already, exploitation has taken place at professional services and technology firms as well as government agencies, the firm said. 

Mandiant does not know who the threat actor is, but said the hackers are focused on cyber espionage and they expect hackers with financial motivations to eventually get in on the action. 

When asked for comment, officials at the Cybersecurity and Infrastructure Security Agency referred back to the Mandiant guidance. 

Editor's note: This article has been updated to include a statement from Citrix and further detail when the patch works. 

 

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell