Citrix Netscaler ADC and Netscaler Gateway [CVE-2023-4966] Ingrid Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway have a zero-day, critical information disclosure vulnerability [CVE-2023-4966]. Citrix NetScaler ADC and NetScaler Gateway have a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability’s notoriety is driven by its high severity in popular network appliances with reports dating back to August of active exploitation that enabled session and account hijacking. What To Do Due to the historical nature of exploitation against NetScaler ADC and NetScaler Gateway appliances, we strongly urge patching CVE-2023-4966 as soon as possible. Users of Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to perform any actions according to the Citrix security bulletin, which clarifies that it only applies to customer-managed servers. In the interim, CVE-2023-3519 can be used as a potential proxy for this vulnerability. Resources CISA, “Known Exploited Vulnerabilities Catalog” Cloud Software Group, Inc., “CVE-2023-4966: Critical security update now available for NetScaler ADC and NetScaler Gateway” Cybersecurity Help, “Zero-day Vulnerability Database” NVD, “CVE-2023-4966 Detail” October 26, 2023: Published. Related articles Citrix ShareFile StorageZone Controller [CVE-2023-24489] Mobile Application Analysis Finding Rescan: Asset Not Found and Assumed Remediated What is a Finding Rescan? A Guide to Navigating and Prioritizing Bitsight Risk Categories & Risk Vectors Feedback 0 comments Please sign in to leave a comment.