Introduction
Defenders are currently facing a critical window of exposure. Recent intelligence from cybersecurity researchers confirms that CVE-2023-3519 (a critical unauthenticated Remote Code Execution vulnerability) and CVE-2023-4966 (a sensitive information disclosure flaw known as "Citrix Bleed") are being actively exploited in the wild.
For organizations—especially those in the healthcare sector managing sensitive ePHI—this is not a theoretical risk. We are observing mass scanning and exploitation attempts targeting Citrix NetScaler ADC and Gateway appliances. Successful exploitation allows threat actors to gain initial access to the internal network, hijack active user sessions bypassing MFA, and deploy ransomware payloads (specifically LockBit 3.0 and other variants). Immediate action is required to assess compromise and patch these systems.
Technical Analysis
The current threat landscape focuses on two distinct but related vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway (formerly known as Citrix ADC and Citrix Gateway).
Affected Products and Versions
- Products: NetScaler ADC and NetScaler Gateway (physical, virtual, and multi-tenant SDX/CPX instances).
- Affected Builds:
- NetScaler ADC and NetScaler Gateway 14.1 before 8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 91.13
- NetScaler ADC and NetScaler Gateway 12.1 before 66.16
- NetScaler ADC 12.1-FIPS before 66.16
- NetScaler ADC 12.1-NDcPP before 66.16
Vulnerability Mechanics
-
CVE-2023-3519 (CVSS 9.8 - CRITICAL): This is an unauthenticated Remote Code Execution (RCE) vulnerability residing in the NetScaler AAA (Authentication, Authorization, and Accounting) module. Attackers can send a specially crafted HTTP request to the appliance to execute arbitrary code without requiring valid credentials. This provides a direct foothold into the network perimeter.
-
CVE-2023-4966 (CVSS 8.2 - HIGH): Dubbed "Citrix Bleed," this vulnerability allows attackers to leak sensitive information from the device's memory. Specifically, attackers can retrieve active session tokens, allowing them to bypass authentication (including MFA) and impersonate valid users.
Exploitation Status
- In-the-Wild: Confirmed. CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
- TTPs: Threat actors are exploiting CVE-2023-3519 to drop webshells (often Perl or Bash scripts) on the appliance, establishing persistence. CVE-2023-4966 is being used to harvest session IDs for lateral movement into internal applications like VDI, EMR, and email systems.
Detection & Response
Sigma Rules
---
id: c1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
title: Potential Citrix NetScaler RCE via Shell Spawn
status: experimental
description: Detects potential exploitation of CVE-2023-3519 on Citrix NetScaler ADC and Gateway appliances. The vulnerability allows unauthenticated remote code execution. This rule identifies the parent web server process spawning a shell or interpreter, a common TTP for this vulnerability.
references:
- https://support.citrix.com/article/CTX579475
- https://nvd.nist.gov/vuln/detail/CVE-2023-3519
author: Security Arsenal
date: 2026/04/06
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/nshttpd'
- '/nsdhcpd'
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
- '/perl'
- '/python'
- '/nc'
- '/telnet'
condition: selection
falsepositives:
- Legitimate administrative troubleshooting (rare)
level: critical
tags:
- attack.initial_access
- attack.execution
- cve.2023.3519
---
id: d2e3f4a5-b6c7-4d5e-9f0a-1b2c3d4e5f6a
title: Citrix Bleed Memory Leak via Large HTTP Response
status: experimental
description: Detects potential exploitation of CVE-2023-4966 ("Citrix Bleed") on Citrix NetScaler ADC and Gateway. This vulnerability allows sensitive information disclosure (session tokens) via a buffer overflow/leak. This rule identifies unusually large HTTP responses from the management interface, indicative of memory content leakage.
references:
- https://support.citrix.com/article/CTX581492
- https://nvd.nist.gov/vuln/detail/CVE-2023-4966
author: Security Arsenal
date: 2026/04/06
logsource:
category: webserver
detection:
selection:
cs-method|startswith: 'GET'
sc-status: 200
sc-bytes: > 1000000 # Threshold set to 1MB as normal web GUI responses are typically much smaller (KBs)
filter_legitimate_download:
c-uri|contains: '/downloads/'
condition: selection and not filter_legitimate_download
falsepositives:
- Legitimate large file downloads from the Gateway portal (if applicable)
level: high
tags:
- attack.initial_access
- attack.credential_access
- cve.2023.4966
KQL — Microsoft Sentinel / Defender
// Hunt for exploitation of CVE-2023-3519 (RCE) and CVE-2023-4966 (Citrix Bleed) on Citrix NetScaler ADC/Gateway
// Detects active scanning, attempts to trigger the memory leak (Bleed), NITRO API abuse (RCE), and webshell upload indicators
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor =~ "Citrix"
| where DeviceProduct has_any ("NetScaler", "ADC", "Gateway")
| where DeviceEventClassID =~ "HTTP"
| where RequestURL has_any (
"/oauth/idp/.well-known/openid-configuration", // Specific path triggering CVE-2023-4966 (Citrix Bleed)
"/nitro/v1/config/", // NITRO API targeted in CVE-2023-3519 RCE exploits
"/vpns/portal/scripts/", // Common directory for webshell drops
"/vpns/cfg/smb.conf" // Reconnaissance activity
)
or RequestURL matches regex @"\.(jsp|php|pl|py|sh|cgi)$" // Suspicious file extensions indicative of webshells
// Exclude standard static asset requests to reduce false positives
| where not (RequestURL has @".js" or RequestURL has @".css" or RequestURL has @".gif" or RequestURL has @".ico")
| summarize
RequestCount = count(),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
UniqueURLs = dcount(RequestURL),
SampleURLs = makeset(RequestURL),
SampleUserAgents = makeset(UserAgent),
ResponseCodes = makeset(ReasonCode)
by SourceIP, DestinationIP, DestinationPort
| where RequestCount > 3 // Threshold to identify scanning behavior vs one-off failures
| order by RequestCount desc
Velociraptor VQL
name: Hunt.Citrix.Netscaler.CVE20233519.Exploitation
description: |
This artifact hunts for indicators of compromise associated with the active exploitation
of CVE-2023-3519 (RCE) and CVE-2023-4966 (Citrix Bleed) on Citrix NetScaler ADC/Gateway.
It scans for webshells dropped in known directories, suspicious process execution (Perl/Python)
typical of post-exploitation, and unauthorized outbound network connections.
sources:
- name: FileSystem/Webshells
description: |
-- Hunt for suspicious file artifacts in known vulnerable paths.
-- Threat actors often drop .php, .pl, or .sh webshells in /netscaler/ns_gui, /var/vpn, or /var/tmp.
-- We look for recently created or modified script files.
query: |
SELECT FullPath, Size, Mode, Mtime.Sys.Milliseconds AS MTime, Atime.Sys.Milliseconds AS ATime
FROM glob(globs=[
"/netscaler/ns_gui/**/*.php",
"/netscaler/ns_gui/**/*.pl",
"/netscaler/ns_gui/**/*.sh",
"/var/vpn/**/*.php",
"/var/vpn/**/*.pl",
"/var/netscaler/logon/**/*.php",
"/var/tmp/**/*.pl",
"/var/tmp/**/*.sh",
"/var/netscaler/logon/index.html"
])
WHERE Mtime.Sys.Milliseconds > now() - 30 * 86400
OR Size < 50000
OR Mode.String =~ '^.*x.*$'
- name: Processes/SuspiciousExecution
description: |
-- Hunt for suspicious processes.
-- Exploitation of CVE-2023-3519 often results in spawning Perl or Python shells
-- or the 'sh' process running as the 'nobody' or 'nsroot' user unexpectedly.
query: |
SELECT Pid, Ppid, Name, Username, Cmdline, CreateTime
FROM pslist()
WHERE Name IN ("perl", "python", "python3", "sh", "bash")
AND Username NOT IN ("root", "nsroot")
OR Cmdline =~ "httpd"
- name: Network/C2Connections
description: |
-- Hunt for network indicators of Command and Control (C2).
-- Identifies established outbound connections initiated by the appliance to external IPs.
-- Filters for connections from suspicious shells (perl/sh) or non-standard ports.
query: |
SELECT Family, RemoteAddr, RemotePort, State, Pid, Uid, Name
FROM netstat()
LEFT JOIN pslist() ON Pid = Pid
WHERE State = "ESTABLISHED"
AND (
Name =~ "perl" OR Name =~ "python" OR Name =~ "sh" OR
(RemotePort NOT IN (80, 443, 22, 53, 123, 161, 67, 68) AND Family =~ "TCP")
)
Remediation Script
#!/bin/bash
Title: CVE-2023-3519 & CVE-2023-4966 Citrix NetScaler Audit & Hardening Script
Description: Checks NetScaler ADC/Gateway build version for vulnerabilities and hunts for IOCs.
Note: This script is intended to be run on the NetScaler shell (switch to shell via 'shell' command in CLI).
Requires: Root/Read-only access to system files and logs.
echo "[*] Starting Audit for CVE-2023-3519 & CVE-2023-4966..."
1. VERSION CHECK
Identify if the current build is vulnerable based on Citrix advisories.
echo "[+] Checking NetScaler Version..." VERSION_INFO=$(nsconmsg -K /var/nslog/kernel.debug -d stats | grep "Sys" | grep "Software version") CURRENT_VERSION=$(echo "$VERSION_INFO" | awk -F'Build ' '{print $1}' | awk '{print $NF}') CURRENT_BUILD=$(echo "$VERSION_INFO" | awk -F'Build ' '{print $2}' | awk '{print $1}')
echo " Detected: Version $CURRENT_VERSION Build $CURRENT_BUILD"
VULNERABLE=false
Define Vulnerable Build Thresholds (Patch levels per Citrix Advisory)
Citrix ADC 13.1 < Build 49.15
Citrix ADC 13.0 < Build 91.21
Citrix ADC 12.1 < Build 66.18
Citrix ADC 12.1-FIPS < Build 66.18
NetScaler Gateway 13.1 < Build 49.15
NetScaler Gateway 13.0 < Build 91.21
NetScaler Gateway 12.1 < Build 66.18
Function to compare versions (simple integer comparison for build numbers)
check_vulnerable() { local ver=$1 local build=$2
case $ver in
"13.1")
if [ "$build" -lt 49 ]; then VULNERABLE=true; fi
if [ "$build" -eq 49 ] && [ "$build_sub" -lt 15 ]; then VULNERABLE=true; fi
;;
"13.0")
if [ "$build" -lt 91 ]; then VULNERABLE=true; fi
if [ "$build" -eq 91 ] && [ "$build_sub" -lt 21 ]; then VULNERABLE=true; fi
;;
"12.1")
if [ "$build" -lt 66 ]; then VULNERABLE=true; fi
if [ "$build" -eq 66 ] && [ "$build_sub" -lt 18 ]; then VULNERABLE=true; fi
;;
esac
}
Extracting sub-build number (e.g., 49.x)
IFS='.' read -r BUILD_MAIN BUILD_SUB <<< "$CURRENT_BUILD" check_vulnerable "$CURRENT_VERSION" "$BUILD_MAIN"
if [ "$VULNERABLE" = true ]; then echo " [!] ALERT: System is running a vulnerable build for CVE-2023-3519 / CVE-2023-4966." echo " [!] ACTION REQUIRED: Patch immediately to the latest recommended build." else echo " [OK] Version appears patched based on build number (Verify latest patch notes)." fi
2. CVE-2023-3519 IOC HUNT (RCE / Webshell)
Hunt for suspicious files created in directories often used by exploit chains.
echo "[+] Hunting for RCE/Compromise Indicators (CVE-2023-3519)..."
Check /var/vpn/ for recently modified suspicious scripts
if [ -d "/var/vpn" ]; then echo " Scanning /var/vpn for suspicious scripts (.pl, .sh, .py)..." find /var/vpn -type f ( -name ".pl" -o -name ".sh" -o -name "*.py" ) -mtime -30 2>/dev/null | while read file; do echo " [!] SUSPICIOUS FILE FOUND: $file" done fi
Check /netscaler/ns_gui/vpn/ for webshells
if [ -d "/netscaler/ns_gui/vpn" ]; then echo " Scanning /netscaler/ns_gui/vpn for unusual file modifications..." # Look for php or pl files where they shouldn't be, or recently touched files find /netscaler/ns_gui/vpn -type f -mtime -30 2>/dev/null | while read file; do echo " [!] RECENTLY MODIFIED FILE: $file" done fi
Check for persistent cron jobs (Exploit often drops a crontab for root)
if [ -f "/var/spool/cron/crontabs/root" ]; then echo " Checking root crontab for persistence..." # Look for wget/curl/perl execution patterns often used in these exploits if grep -qE "(wget|curl|perl|python)" /var/spool/cron/crontabs/root; then echo " [!] ALERT: Suspicious commands found in root crontab!" cat /var/spool/cron/crontabs/root else echo " [OK] No obvious persistence mechanisms in root crontab." fi fi
3. CVE-2023-4966 LOG HUNT (Citrix Bleed)
Look for exploitation attempts in HTTP access logs.
echo "[+] Hunting for Citrix Bleed Exploitation Indicators (CVE-2023-4966)..."
Common log location on NetScaler
LOG_DIR="/var/log/httpaccess.log"
If rotated, check the .gz or .old files usually in /var/log/
if [ -f "$LOG_DIR" ]; then echo " Analyzing $LOG_DIR for sensitive session disclosure patterns..."
# Pattern 1: Specific endpoint targeted by the exploit
# Threat actors request /oauth/idp/.well-known/openid-configuration
ENDPOINT_HITS=$(grep -c "/oauth/idp/.well-known/openid-configuration" "$LOG_DIR" 2>/dev/null)
if [ "$ENDPOINT_HITS" -gt 0 ]; then
echo " [!] Found $ENDPOINT_HITS requests to the OIDC endpoint."
echo " Extracting User-Agents and IPs associated with these requests..."
grep "/oauth/idp/.well-known/openid-configuration" "$LOG_DIR" | awk -F'"' '{print $6, $1}' | tail -n 20
else
echo " [OK] No hits on the OIDC endpoint found in current log."
fi
# Pattern 2: Abnormal Accept-Encoding headers (The vulnerability triggers on specific headers)
# While the specific high-byte header is binary, the request often results in a 400 or specific malformed HTTP logs
# We look for a high volume of requests to this endpoint resulting in 400/500 errors.
echo " Checking for 400/500 errors on OIDC endpoint..."
grep "/oauth/idp/.well-known/openid-configuration" "$LOG_DIR" | grep -E "HTTP/\" (400|499|500)" > /tmp/citrix_bleed_ioc.txt
if [ -s /tmp/citrix_bleed_ioc.txt ]; then
echo " [!] Potential exploit attempts detected (Errors on OIDC endpoint):"
cat /tmp/citrix_bleed_ioc.txt
else
echo " [OK] No error-based exploitation patterns found."
fi
rm -f /tmp/citrix_bleed_ioc.txt
else echo " [!] Log file $LOG_DIR not found. Cannot perform log hunt." fi
4. HARDENING RECOMMENDATION
Ensure 'nslog' mode is secure
echo "[+] Checking basic hardening..." if [ -f "/nsconfig/ns.conf" ]; then if grep -q "set ns param -nsloglevel ERROR" /nsconfig/ns.conf; then echo " [OK] NS Log level appears restricted." else echo " [INFO] Consider setting nsloglevel to ERROR or EMERGENCY to reduce verbosity if not needed for debugging." fi fi
echo "[*] Audit Complete."
Remediation
Immediate Action Items
- Apply Patches Immediately: Upgrade to the latest build listed in the "Affected Products" section above. Rebooting the appliance is required for the patch to take effect.
- Kill Active Sessions: After patching, terminate all active VPN and AAA sessions to invalidate any potentially stolen session tokens (CVE-2023-4966).
- Credential Rotation: Assume that credentials (especially service accounts used behind the appliance) may have been compromised. Rotate all privileged credentials.
Network Compensating Controls
If patching is not immediately possible, implement the following mitigations:
- Block Management Interfaces: Ensure the NSIP (NetScaler IP) and SNIP (Subnet IP) management interfaces are not accessible from the internet. Block inbound traffic to TCP ports 80, 443, 8080, and 6711 (if used for management) from untrusted networks.
- Segregate Gateway Traffic: If the VPN is essential, enforce strict network segmentation behind the appliance to limit blast radius if the appliance is compromised.
Forensic Investigation
If you suspect exploitation based on the hunting guidance above:
- Preserve the volatile memory (RAM dump) of the appliance.
- Image the hard drive for offline webshell analysis.
- Review the
/var/log/and/var/tmp/directories for artifacts left by attackers.
Official Vendor Advisory: Citrix Security Bulletin CTX579458
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.