Cloud giant Citrix has confirmed earlier reports of a critical vulnerability in some of its products being abused in the wild.
It released a patch for the flaw and urged users to apply it immediately and make sure they’re safe from hackers.
The vulnerability in question is tracked as CVE-2023-4966. It carries a severity score of 9.4 and affects NetScaler ADC, and NetScaler Gateway.
Evidence of abuse
Prior to Citrix’s reaction, both Mandiant and CISA warned about the flaw. Mandiant said hackers were probably using it to hijack authentication sessions and steal corporate data since August. CISA, on the other hand, wasn’t that specific, saying the vulnerability was “unknown” but “used in ransomware campaigns”.
In the meantime, someone posted a proof-of-concept on GitHub, called Citrix Bleed, The Register reports. “So if you are using an affected build, at this point assume you’ve been compromised, apply the update, and then kill all active sessions per Citrix’s advice from Monday,” the publication wrote.
Together with the patch, Citrix sounded a rather ominous alarm of real-life abuse: “We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”
The company refrained from sharing other information, such as who is attacking whom, what they’re after, if they’re deploying any malware, or even how many victims there are. “The security bulletin and blog are the extent of our external statements at this time,” a Citrix spokesperson told The Register, which suggests that sharing more information could lead other hackers to discover and abuse the flaw themselves. A bit too late for that, given that Citrix Bleed is already published.
Mandiant claims the victims are mostly tech firms, government organizations, and professional services companies. The company’s CTO, Charles Carmakal, said that while current exploits revolve around stealing data, it’s just a matter of time before they start revolving around money.