Cyber Resilience

CVE-2023-4966

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 10 October 2023

Published
10 October 2023
Modified
24 October 2025
KEV Added
18 October 2023
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2023-4966 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2023-4966 is a sensitive information disclosure vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway appliances when configured as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The flaw, tracked under CWE-119, carries a CVSS 3.1 score of 9.4 and permits exposure of sensitive session data without requiring authentication or user interaction.

Unauthenticated remote attackers can exploit the issue over the network to leak session tokens and other sensitive information, enabling session hijacking and subsequent unauthorized access with impacts to confidentiality, integrity, and availability. Public proof-of-concept code has been released that demonstrates token leakage against vulnerable instances.

Citrix advisory CTX579459 details the affected versions and provides remediation guidance, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The associated EPSS score has reached a peak of 0.9717 with a current value of 0.9435, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.

CWE(s)
KEV Date Added
18 October 2023

Related Threats

Threat-Actor AttributionAI

Cl0paka Clop
Cl0p ransomware exploited Citrix Bleed (CVE-2023-4966) in 2023 mass-campaign per Mandiant, Unit 42, and CISA reporting.

CVEs Like This One

CVE-2025-7775Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2025-7776Same product: Citrix Netscaler Application Delivery Controller
CVE-2026-3055Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2024-3400Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0111Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-59718Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-0257Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0108Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

citrix
netscaler application delivery controller
12.1 — 12.1-55.300 · 12.1 — 12.1-55.300 · 13.0 — 13.0-92.19
citrix
netscaler gateway
13.0 — 13.0-92.19 · 13.1 — 13.1-49.15 · 14.1 — 14.1-8.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control policies on the NetScaler gateway/AAA virtual servers to block unauthenticated retrieval of sensitive session tokens.

prevent

Applies boundary protection mechanisms that restrict external network access to the vulnerable VPN/AAA interfaces and limit exposure of the information disclosure flaw.

detect

Directly monitors for unauthorized information disclosure attempts against the NetScaler services, enabling detection of session-token leakage.

References