CVE-2023-4966

Published Oct 10, 2023

Last updated 5 months ago

Exploit knownCVSS critical 9.4
CitrixBleed
Server

Overview

Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.
Source
secure@citrix.com
NVD status
Analyzed
Products
netscaler_application_delivery_controller, netscaler_gateway

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Exploit added on
Oct 18, 2023
Exploit action due
Nov 8, 2023
Required action
Apply mitigations and kill all active and persistent sessions per vendor instructions [https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/] OR discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@citrix.com
CWE-119
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. 🚨 Unmasking the Citrix Bleed: A Deep Dive into the #CVE-2023-4966 Mass Exploitation Campaign https://t.co/fX2by9wZqU Educational Purposes!

    @UndercodeUpdate

    8 Nov 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CITRIXBLEED CRISIS! The critical NetScaler ADC Buffer Overflow Flaw (CVE-2023-4966) is being ACTIVELY EXPLOITED GLOBALLY right now. This vulnerability allows for unauthorized access and session hijacking. Read the full report on - https://t.co/wEhjBhYNf5 https://t.co/XlgPQ7IAPv

    @cyberbivash

    29 Sept 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 【メモリ漏洩脆弱性】Citrix NetScalerに新たな重大脆弱性CVE-2025-5777が発見され、既に実環境での悪用が確認されている。この脆弱性は2023年に世界を震撼させたCitrixBleed(CVE-2023-4966)と酷似しており、メモリの不

    @nakajimeeee

    6 Jul 2025

    444 Impressions

    1 Retweet

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. #threatreport #LowCompleteness How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) | 04-07-2025 Source: https://t.co/XJKu0ksoJj Key details below ↓ 💀Threats: Citrix_bleed_vuln, 🔓CVEs: CVE-2023-4966 https://t.co/eZ1NKnjqmY

    @rst_cloud

    5 Jul 2025

    167 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5.     🚨 Citrix fixes critical NetScaler bug CVE-2025-5777—patch now. This out-of-bounds read flaw is similar to CitrixBleed (CVE-2023-4966) and may allow attackers to extract session tokens from memory. Affects gateway-configured devices No known explanation yet,

    @modat_magnify

    24 Jun 2025

    191 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. i remember 2023 when i was using the CVE-2023-4966 i logged in this employee's pc and started launching all my tools, and then the employee logged back in while i was getting creds, and he saw all the tools just open. the funny thing is he just closed them and went back to work😂

    @PsExec64

    13 Apr 2025

    3993 Impressions

    1 Retweet

    45 Likes

    5 Bookmarks

    2 Replies

    0 Quotes

  7. 🚨🔍 Top 5 most exploited CVEs of 2023: 1️⃣ CVE-2023-3519 (Citrix NetScaler): Buffer overflow for remote code execution. 2️⃣ CVE-2023-4966 (Citrix NetScaler): Token leakage risk. 3️⃣ CVE-2023-20198 (Cisco IOS XE): Unauthorized admin access.

    @AugustineCyber

    17 Nov 2024

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. CISAから2023年に良く悪用された脆弱性のまとめが公開されていましたね。 2023 Top Routinely Exploited Vulnerabilities https://t.co/ulfm6a7TUz ◆CVE-2023-3519:Citrix ◆CVE-2023-4966:Citrix ◆CVE-2023-20198:Cisco ◆CVE-2023-20273:Cisco ◆CVE-2023-27997:Fortinet… https://t.co/5hY9DKZUl3 https://t.co/G9ylY3EdvP

    @taku888infinity

    13 Nov 2024

    1354 Impressions

    1 Retweet

    8 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. The released fix CVE-2023-4966 on October 10, 2023, affected NetScaler ADC and NetScaler Gateway. This vulnerability was discovered by our internal team, and at the time of disclosure, we were not aware of any exploits in the wild. Recommended next steps: https://t.co/gq5657p6KE

    @zeller_bach

    27 Oct 2024

    21 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

Configurations

Related CVEs

  1. A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)CVE-2026-3733
  2. DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.CVE-2024-56373
  3. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image). Versions 7.1.2-15 and 6.9.13-40 contain a patch.CVE-2026-25982
  4. Dell Repository Manager (DRM), versions prior to 3.4.8, contains an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution and escalation of privileges.CVE-2026-21420
  5. Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.CVE-2026-27205

References

Sources include official advisories and independent security research.