Thousands of Servers Exposed By Citrix Bleed Vulnerability


ACA Aponix

Publish Date


Cyber Alert

  • Cybersecurity

Citrix Bleed (CVE-2023-4966) is a critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway appliances. It is now being targeted by the Russian ransomware gang, LockBit, who have orchestrated cyberattacks on Boeing and the Industrial and Commercial Bank of China (ICBC). The vulnerability allows attackers to extract sensitive information, such as session cookies, usernames, and passwords.

Shortly after the disclosure in October 2023, it was discovered that the Citrix Bleed vulnerability was being actively exploited by attackers, and Citrix released security updates to address the issue. However, there are still more than 10,000 Citrix servers that risk being breached due to unpatched systems.


Cybersecurity company ReliaQuest has uncovered evidence that multiple hacker groups, including LockBit ransomware, are actively exploiting the Citrix Bleed vulnerability. At least four threat groups are taking advantage of this flaw, with one of these groups automating the attack process, making it simpler and more efficient for them to target vulnerable systems.

The LockBit ransomware gang acknowledged that the ICBC paid a ransom, but refrained from disclosing the amount. Rapid7’s head of vulnerability research believes that Citrix Bleed will be “one of the top, routinely exploited vulnerabilities in 2023”.

Our recommendation

If your firm uses Citrix NetScaler ADC or NetScaler Gateway applications, we suggest you do the following to protect your firm from this vulnerability:

  1. Ensure that your NetScaler ADC and Gateway appliances are running the latest firmware versions. These updates include patches that mitigate the vulnerability.
  2. After upgrading, connect to the NetScaler appliance using the Command Line Interface (CLI) and terminate the active and persistent sessions since compromised sessions can persist even after applying the patch.
  3. It is advisable to rotate the credentials for identities that accessed resources via the vulnerable servers and instances.
  4. Check frequently for Citrix and other security organization updates for this vulnerability and other mitigation and prevention strategies.
  5. Develop a patch management plan to ensure that your devices are always patched with the latest security updates and regularly conduct patching drills for a secure infrastructure.

How we help

Our cybersecurity and risk services can help organizations strengthen their line of defense against phishing attacks and other destructive cybercrime tactics. 

Our solutions include:

  • Aponix Protect™ to help build a comprehensive cybersecurity and technology risk management program tailored to your business needs.
  • Business impact analysis and business continuity plans complete with robust policies, plans, and procedures to better protect your company from data breaches and efficiently recover from a cyber incident or significant business disruption.
  • Risk assessments to identify and remediate gaps in your firm’s current cybersecurity and regulatory state, as well as figure out how your firm stands up against existing frameworks (SOC, PCI, NIST). 
  • Staff training and threat monitoring to educate your team on industry best practices, cyber trends, and emerging threats. 
  • Vulnerability and penetration testing to reduce the risk of financial, operational, and reputational losses that can result from a breach. 

For questions about this alert, or to find out more about our services, please reach out to your ACA consultant or contact us

Contact us