Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway have a zero-day, critical information disclosure vulnerability [CVE-2023-4966]. Citrix NetScaler ADC and NetScaler Gateway have a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
This vulnerability’s notoriety is driven by its high severity in popular network appliances with reports dating back to August of active exploitation that enabled session and account hijacking.
What To Do
Due to the historical nature of exploitation against NetScaler ADC and NetScaler Gateway appliances, we strongly urge patching CVE-2023-4966 as soon as possible.
Users of Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to perform any actions according to the Citrix security bulletin, which clarifies that it only applies to customer-managed servers.
In the interim, CVE-2023-3519 can be used as a potential proxy for this vulnerability.