Citrix Bleed — NetScaler ADC and Gateway Sensitive Information Disclosure
A buffer-overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway allows attackers to harvest valid session tokens from device memory, hijacking authenticated sessions and bypassing MFA entirely. Widely known as "Citrix Bleed."
- Vendor
- Citrix
- Product
- NetScaler ADC and NetScaler Gateway
- CVSS
- 9.4
- Status
- kev
- Published
CVE-2023-4966, dubbed “Citrix Bleed” by researchers, is a sensitive-information-disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a gateway (VPN, ICA proxy, CVPN, RDP proxy) or AAA virtual server. A buffer-overflow condition lets a remote, unauthenticated attacker retrieve session tokens directly from device memory.
Because the leaked tokens belong to already-authenticated sessions, attackers who capture them can hijack a legitimate user’s session without ever needing a password or a second factor — completely bypassing MFA. The flaw was added to CISA’s KEV catalog in November 2023 after ransomware affiliates, including LockBit-linked actors, were observed exploiting it against large enterprises and at least one major financial-sector organization.
Why it mattered
Citrix Bleed proved that even a fully MFA-protected environment can be compromised if a stolen session token is valid. Citrix urged admins not just to patch but to kill all active ICA and PCoIP sessions post-patch, since old sessions captured before the fix remained valid and exploitable.
Full technical detail and patched build numbers are in Citrix’s own security bulletin and the NVD entry above.
