www.cisa.gov
Open in
urlscan Pro
2a02:26f0:f500:48d::447a
Public Scan
URL:
https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
Submission: On November 08 via api from TR — Scanned from DE
Submission: On November 08 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutives
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
Share:
GUIDANCE FOR ADDRESSING CITRIX NETSCALER ADC AND GATEWAY VULNERABILITY
CVE-2023-4966, CITRIX BLEED
Related topics:
Cybersecurity Best Practices
Note: CISA will continue to update this webpage as we have further guidance to
impart.
SUMMARY
CISA and our partners are responding to active, targeted exploitation of a
vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler
Gateway. The vulnerability is also known as Citrix Bleed. The affected products
contain a buffer overflow vulnerability that allows for sensitive information
disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN,
RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services
or Citrix-managed Adaptive Authentication are not impacted.
Exploitation of this vulnerability could allow for the disclosure of sensitive
information, including session authentication token information that may allow a
threat actor to “hijack” a user’s session[1].
TECHNICAL DETAILS
On Oct. 10, 2023, Citrix released security updates(link is external) to address
CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.
On Oct. 17, Citrix updated its Alert to include “exploits of CVE-2023-4966 on
unmitigated appliances have been observed.”
On Oct. 18, CISA added an entry for CVE-2023-4966 to its Known Exploited
Vulnerabilities (KEV) catalog, which contains detection and mitigation guidance
for observed exploitations of CVE-2023-4966.
On Oct. 23, Citrix released a blog(link is external), providing recommended next
steps and a link to Mandiant’s Oct. 17 guidance for remediating and reducing
risks related to CVE-2023-4966: Remediation for Citrix NetScaler ADC and Gateway
Vulnerability (CVE-2023-4966)(link is external).
CISA urges organizations to update unmitigated appliances to the updated
versions listed below, hunt for any malicious activity, and report any positive
findings to CISA.
* NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
* NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
* NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
* NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
* NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
* NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
* Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life
(EOL). Customers are recommended to upgrade their appliances to one of the
supported versions that address the vulnerabilities.
RESOURCES
This information is provided “as-is” for informational purposes only. CISA does
not endorse any company, product, or service referenced below.
MITIGATION GUIDANCE
* Citrix Blog: CVE-2023-4966: Critical security update now available for
NetScaler ADC and NetScaler Gateway(link is external)
* Citrix Advisory: NetScaler ADC and NetScaler Gateway Security Bulletin for
CVE-2023-4966(link is external)
* Citrix NetScaler secure deployment guide: Best practices for NetScaler MPX,
VPX, and SDX security(link is external).
ADDITIONAL RESOURCES
* CISA: BOD 23-02: Mitigating the Risk from Internet-Exposed Management
Interfaces
* Mandiant:
* Remediation for Citrix NetScaler ADC and Gateway Vulnerability
(CVE-2023-4966)(link is external)
* Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway
Vulnerability (CVE-2023-4966)(link is external)
* Assetnote: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966(link is
external)
* Palo Alto Networks: Threat Brief: Citrix Bleed CVE-2023-4966(link is
external)
--------------------------------------------------------------------------------
[1]Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway
Vulnerability (CVE-2023-4966) | Mandiant(link is external)
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback