A newly disclosed vulnerability, dubbed CitrixBleed, is being actively exploited in the wild within hours of its public disclosure. The flaw, tracked as CVE-2023-4966, impacts NetScaler ADC and NetScaler Gateway appliances, allowing attackers to remotely extract arbitrary memory content from affected systems.
Security researchers warn the vulnerability carries a high severity rating, with exploitation occurring immediately after proof-of-concept code was made public. The attack targets the HTTP response, enabling adversaries to siphon sensitive data such as session tokens and credentials from memory. Early reports indicate widespread scanning activity across the internet.
Technical analysis reveals the exploit leverages a memory leak in the affected NetScaler appliances. By sending specially crafted HTTP requests, attackers can retrieve portions of the appliance's memory, which may contain authentication tokens or other confidential information. Indicators of compromise include unusual outbound connections from NetScaler devices and anomalous HTTP response sizes.
Mitigation is urgent: Citrix has released security updates for affected versions. Administrators are advised to immediately patch all NetScaler ADC and NetScaler Gateway installations to the latest firmware versions. No workarounds have been published, making patching the only reliable defense. Organizations should also rotate any credentials and sessions that may have been exposed during the exploitation window.
Attribution remains unclear, though the rapid adoption of public PoC code suggests opportunistic threat actors rather than a single advanced group. The incident highlights the persistent risk of zero-day-like exploitation cycles, where vulnerabilities are weaponized faster than organizations can respond.