CVE-2023-4966
CVE-2023-4966 is a critical-severity vulnerability in Citrix Netscaler Application Delivery Controller with a CVSS 3.x base score of 9.4. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-18). The underlying weakness is classified as CWE-119.
Key facts
- Severity: Critical (CVSS 3.x base score 9.4)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-10-18)
- EU (EUVD) id: EUVD-2023-54802
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-10-18)
- Weakness: CWE-119
- Affected product: Citrix Netscaler Application Delivery Controller
- Published:
- Last modified:
Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVE-2023-4966: Citrix Bleed — NetScaler ADC / Gateway Sensitive Information Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2023-4966 |
| CVSS v3.1 | 9.4 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| EPSS | 0.99999 (99.993rd percentile) |
| CISA KEV | Added 2023-10-18 |
| EU Exploited | Confirmed since 2023-10-18 (EUVD-2023-54802) |
| CWE | CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Published | 2023-10-10 |
| Last Modified | 2026-06-17 |
| Vendor | Citrix (NetScaler) |
| Ransomware Association | Confirmed |
Summary
CVE-2023-4966, widely known as Citrix Bleed, is a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway products. When configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, the appliance exposes a buffer over-read condition that allows unauthenticated remote attackers to extract sensitive session tokens and other memory-resident data. The flaw has been actively exploited in the wild since at least October 2023 and is listed on both the CISA Known Exploited Vulnerabilities catalog and the EU Vulnerability Database.
Background
Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are widely deployed at the edge of enterprise networks to provide remote access, load balancing, and application delivery. In Gateway mode, these appliances terminate VPN sessions, broker ICA/HDX connections, and enforce authentication via AAA virtual servers. Because they sit on the perimeter and handle high-value session credentials, any information-disclosure flaw in their processing path is especially dangerous. CVE-2023-4966 was disclosed by Citrix on 10 October 2023 and was rapidly added to CISA's KEV catalog eight days later after in-the-wild exploitation was confirmed.
Root Cause
The vulnerability is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. In this case, a buffer over-read occurs during request processing on the Gateway or AAA virtual server. The underlying code fails to properly bound a memory read operation, allowing an attacker-controlled request to read beyond the allocated buffer into adjacent memory regions. Those adjacent regions can contain valid session tokens, authentication cookies, or other sensitive runtime data. Because the read happens in the context of the appliance's own memory space, no authentication or prior session is required to reach the vulnerable code path.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L yields a base score of 9.4 (Critical) and maps to the following impacts:
- Confidentiality (High) — Attackers can read sensitive information, most critically valid session tokens, enabling session hijacking without credentials.
- Integrity (High) — With stolen session tokens, an attacker can impersonate legitimate users and perform actions within their authenticated sessions.
- Availability (Low) — The vulnerability itself is a read primitive, but downstream exploitation (e.g., mass session invalidation or follow-on attacks) can degrade service availability.
The EPSS score of 0.99999 with a 99.993rd percentile ranking indicates near-certain probability of active exploitation in the wild. CISA KEV confirmation and EU exploitation tracking (EUVD-2023-54802) both corroborate this. Ransomware operators have been observed leveraging this flaw for initial access.
Exploitation Walkthrough
Ethics & Scope Disclaimer — The description below is intentionally generic and framed from a defensive perspective. No weaponized exploit code is provided, and the aim is to help defenders understand the attack surface rather than enable malicious use.
- Reconnaissance — The attacker identifies a publicly reachable NetScaler Gateway or AAA virtual server (common on TCP/443).
- Request Crafting — A malformed HTTP request is sent to the Gateway endpoint. The malformed field triggers the buffer over-read in the request-handling path.
- Memory Leakage — The appliance responds with data that includes memory contents from beyond the intended buffer. In confirmed exploitation, this response has contained valid session cookies or tokens.
- Session Hijacking — The attacker extracts the leaked token and replays it in an authenticated request, effectively assuming the victim's session without ever possessing credentials.
Because the attack complexity is low, no privileges are required, and no user interaction is needed, this vulnerability is trivially exploitable at scale by automated scanners.
Affected and Patched Versions
The following product lines are affected according to CPE data in the NVD record:
- Citrix NetScaler Application Delivery Controller (ADC) — all editions including FIPS and NDCPP variants
- Citrix NetScaler Gateway
Specific version ranges are not present in the source data used for this advisory. Organizations should consult the vendor's official security bulletin (CTX579459) to determine exactly which firmware builds are vulnerable and which builds contain the fix.
Remediation
Primary Mitigation
- Upgrade to a patched firmware version as specified in Citrix support article CTX579459. This is the only complete remediation.
Compensating Controls
- If immediate patching is not possible, disable or restrict access to Gateway and AAA virtual server functionality until the patch can be applied.
- Place the management interface and Gateway virtual IPs behind a restrictive allow-list (WAF or network ACL) to reduce exposure, though this does not eliminate risk entirely.
- Enforce multi-factor authentication (MFA) for all remote-access sessions. While MFA does not prevent token theft, it raises the bar for follow-on lateral movement if a session is hijacked.
- Monitor for and revoke active sessions after patching, because stolen tokens may remain valid until expiration or forced logout.
Detection
- Network Telemetry — Look for anomalous HTTP requests to Gateway endpoints that receive unusually large or malformed responses, or requests that deviate from normal client User-Agent patterns.
- Session Anomaly — Correlate session-origin IP changes (same session cookie, new source IP or geolocation) in authentication logs.
- IPS/WAF Signatures — Ensure that edge intrusion-prevention and web-application-firewall rulesets include detections for known Citrix Bleed scanning and exploitation patterns.
- Hunting — Search appliance logs and any downstream proxy logs for unexpected 200 OK responses to non-standard request payloads on Gateway paths.
Assessment
CVE-2023-4966 is a textbook example of why buffer-management bugs in edge-facing appliances remain so dangerous: a single unauthenticated over-read can collapse the security boundary of an entire remote-access infrastructure. The near-perfect EPSS score, dual KEV/EU-VD confirmations, and confirmed ransomware use all signal that this vulnerability should be treated as an active, high-priority threat rather than a theoretical risk.
Key lessons:
- Edge appliances are high-value targets — A flaw in a VPN gateway compromises every session it protects. Patching cycles for perimeter infrastructure must be aggressive.
- Session-token hygiene matters — Even after patching, stolen tokens can persist. Incident-response playbooks should include mass session revocation and token-rotation steps as standard post-exploitation cleanup.
References
Frequently asked questions
- What is CVE-2023-4966?
- Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
- How severe is CVE-2023-4966?
- CVE-2023-4966 has a CVSS 3.x base score of 9.4, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability low.
- Is CVE-2023-4966 being actively exploited?
- Yes. CVE-2023-4966 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-4966?
- CVE-2023-4966 primarily affects Citrix Netscaler Application Delivery Controller. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-4966?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-4966 have an EU (EUVD) identifier?
- Yes. CVE-2023-4966 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-54802. It is also flagged as exploited in the EUVD (since 2023-10-18).
- When was CVE-2023-4966 published?
- CVE-2023-4966 was published on 2023-10-10 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.html
- https://support.citrix.com/article/CTX579459
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4966
Affected products (4)
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
More vulnerabilities in Citrix Netscaler Application Delivery Controller
- CVE-2014-2882 — Critical (CVSS 10.0): Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler…
- CVE-2014-2881 — Critical (CVSS 10.0): Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in…
- CVE-2026-8655 — Critical (CVSS 9.8): Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous…
- CVE-2026-8452 — Critical (CVSS 9.8): Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and…
- CVE-2026-3055 — Critical (CVSS 9.8): Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading…
- CVE-2025-7776 — Critical (CVSS 9.8): Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC…
All CVEs affecting Citrix Netscaler Application Delivery Controller →
Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities
- CVE-2026-2778 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in…
- CVE-2026-2776 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability…
- CVE-2025-1866 — Critical (CVSS 10.0): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows…
- CVE-2022-27625 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2022-27624 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2020-11896 — Critical (CVSS 10.0): The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.