NetScaler Zero-Day Being Actively Exploited (Yes, Another One)

A recently patched Citrix NetScaler bug (CVE-2023-4966, CVS score 9.4) is under active attack, and has been for at least two months.

Share This Post

A recently patched Citrix NetScaler bug (CVE-2023-4966, CVS score 9.4) is under active attack, and has been for at least two months.

Making matters worse, attackers have proven to be able to bypass Multi-Factor Authentication requirements by hijacking existing sessions that are already successfully authenticated. This means a simple patch will not be good enough to stop an active attacker. All active and persistent sessions will need to be terminated, as well.

More difficult still, there are currently no known logs or other artifacts that reside on NetScaler appliances that record evidence of exploitation. Mandiant has released a Remediation guide for this vulnerability, including investigative steps, here: https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966

If any evidence of potential exploitation are identified, a threat hunt of the internal environment is recommended after the device(s) has been patched and sessions terminated. The threat actors in play are currently unknown, but the active exploitation has been taking place across a variety of industries and governments. This news comes after another critical NetScaler zero-day vulnerability (CVE-2023-3519, CVS score 9.8) was patched in July, having been actively exploited for a month before that.

To see the Citrix bug advisory, please click here: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967



Reach out to our incident response team for help

More To Explore

Information Security News – 7/28/2025

U.S. Nuclear Weapons Department Compromised in SharePoint Attack Article Link: https://www.neowin.net/news/us-nuclear-weapons-department-compromised-in-sharepoint-attack/ Humans Can Be Tracked with Unique ‘Fingerprint’ Based on How Their Bodies Block Wi-Fi

Information Security News – 7/21/2025

Google Gemini Flaw Hijacks Email Summaries for Phishing Article Link: https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/   Hackers Exploit a Blind Spot Hiding Malware Inside DNS Records Article Link: https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.