Executive Summary
A new critical vulnerability, widely referred to as CitrixBleed-ing Again, has been identified in Citrix NetScaler ADC and NetScaler Gateway appliances. This flaw, tracked as CVE-2023-4966, enables remote, unauthenticated attackers to extract sensitive memory contents, including session tokens and credentials, from affected devices. The vulnerability is being actively exploited in the wild, with public proof-of-concept code and detection scripts accelerating the risk of mass exploitation. The flaw is rooted in improper memory handling during the parsing of authentication requests, particularly when the appliance is configured as a SAML Identity Provider (IdP) or as a Gateway. Organizations using vulnerable versions of NetScaler ADC or Gateway are at immediate risk of compromise and must take urgent action to patch, monitor, and mitigate exposure.
Threat Actor Profile
Current intelligence indicates that exploitation of CVE-2023-4966 is opportunistic and widespread, with no single advanced persistent threat (APT) group attributed as the primary actor. The public availability of exploit code has enabled a broad spectrum of threat actors, ranging from financially motivated cybercriminals to potential state-sponsored groups, to leverage this vulnerability. The attack surface is global, given the extensive deployment of Citrix NetScaler appliances across critical sectors such as government, finance, healthcare, and enterprise IT. The rapid weaponization of this vulnerability demonstrates the agility of threat actors in adopting newly disclosed exploits, especially those that enable credential theft and lateral movement.
Technical Analysis of Malware/TTPs
The CitrixBleed-ing Again vulnerability is a pre-authentication memory disclosure bug. It arises from insufficient input validation in the custom XML attribute parser used by NetScaler for SAML requests and improper bounds checking in session management routines. Attackers exploit the flaw by sending specially crafted SAML AuthnRequests or authentication requests to the /saml/login endpoint or other authentication interfaces. These requests contain malformed or unquoted attribute values, often terminated by newlines, which cause the parser to read beyond the intended memory buffer.
The overread memory is then returned to the attacker, typically embedded in the NSC_TASS cookie or similar session artifacts in the HTTP response. The leaked data may include session tokens, credentials, pointers, and other sensitive memory contents. Attackers can automate this process, repeatedly sending crafted requests to incrementally leak memory and reconstruct valid session tokens or credentials for subsequent unauthorized access.
Proof-of-concept scripts, such as those published by WatchTowr Labs and available on GitHub, demonstrate the ease with which attackers can exploit this flaw. The exploitation process is highly reliable and does not require authentication, making it a potent tool for initial access and privilege escalation.
Exploitation in the Wild
Active exploitation of CVE-2023-4966 has been confirmed by multiple security research organizations, including WatchTowr Labs, SecurityWeek, and CISA. Exploitation attempts were observed within hours of public disclosure, with attackers leveraging public PoC code to target exposed NetScaler appliances. The vulnerability is being used to extract session tokens and credentials, which are then employed to hijack authenticated sessions and gain unauthorized access to sensitive resources.
Organizations have reported abnormal authentication events, session hijacking, and the presence of unexpected or binary data in session cookies. In some cases, exploitation attempts have resulted in the crash or restart of the nsppe process on affected appliances, causing denial-of-service conditions. The widespread availability of detection and exploitation scripts has led to a surge in scanning and exploitation activity, increasing the urgency for immediate remediation.
Victimology and Targeting
The attack surface for CitrixBleed-ing Again is extensive, given the global deployment of Citrix NetScaler ADC and Gateway appliances. Victims span multiple sectors, including government agencies, financial institutions, healthcare providers, and large enterprises. The vulnerability is particularly impactful for organizations that rely on NetScaler for remote access, VPN, or SAML-based authentication, as these configurations are directly targeted by the exploit.
No specific geographic targeting has been observed; rather, attackers are scanning the internet for vulnerable appliances and indiscriminately exploiting those that are exposed. The lack of authentication required for exploitation means that any internet-facing, unpatched NetScaler appliance is at risk, regardless of organizational size or sector.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2023-4966. Organizations must upgrade to the latest fixed versions of NetScaler ADC and Gateway as specified in the official Citrix Security Bulletin CTX579459. After patching, all active and persistent sessions should be terminated to prevent session hijacking using previously leaked tokens.
Continuous monitoring for indicators of compromise is essential. Security teams should review logs for unusual authentication requests, malformed SAML AuthnRequests, and anomalies in session management. The presence of unexpected or binary data in the NSC_TASS cookie or similar session artifacts should be treated as a potential sign of exploitation.
Where possible, restrict access to authentication endpoints, such as /saml/login, to trusted networks or sources. Implement network segmentation to reduce the attack surface and limit lateral movement in the event of compromise. Organizations should also consider deploying web application firewalls (WAFs) with updated signatures to detect and block exploit attempts.
References
- Citrix Security Bulletin CTX579459
- WatchTowr Labs: CitrixBleed To Infinity And Beyond (CVE-2026-8451)
- DarkReading: CitrixBleed-ing Again? NetScaler Vulnerability Under Attack
- CISA KEV Catalog Entry for CVE-2023-4966
- NVD CVE-2023-4966
- Packet Storm Security PoC
- Detection Script (GitHub)
About Rescana
Rescana is a leader in third-party risk management (TPRM) and cyber risk intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain and critical infrastructure. By leveraging advanced analytics and real-time threat intelligence, Rescana enables proactive defense against emerging vulnerabilities and evolving threat landscapes. For more information or to discuss how our solutions can enhance your organization’s cyber resilience, we are happy to answer questions at info@rescana.com.



