On May 6, 2024, Bishop Fox publicly disclosed a vulnerability along with a proof of concept (PoC) exploit in Citrix NetScaler ADC and Gateway, identified as an unauthenticated out-of-bounds memory read issue in the components used for Authentication, Authorization, and Auditing (AAA). This vulnerability enables attackers to potentially retrieve sensitive data from the memory of the affected appliance including HTTP request bodies, which may contain credentials for accessing Citrix NetScaler ADC and gateway appliances, as well as cookies. A specific Common Vulnerabilities Exposures (CVE) ID for this vulnerability or Common Vulnerability Scoring System (CVSS) score is not available at this time.
Although Arctic Wolf has not observed active exploitation of this vulnerability in the wild, Bishop Fox has stated this vulnerability is nearly identical to Citrix Bleed, a critical vulnerability exploited by multiple ransomware threat actors in late 2023 to target several industries, except it is less likely to return highly sensitive information to an attacker. Arctic Wolf assesses that threat actors are likely to draw their attention to this vulnerability due to the close similarities with Citrix Bleed and its potential impact upon exploitation.
Recommendation
Upgrade To a Fixed Version of Citrix NetScaler ADC and Gateway
Arctic Wolf strongly recommends upgrading to version 13.1-51.15 or later to address this vulnerability.
| Affected Product | Affected Versions | Fixed Version |
| Citrix NetScaler ADC and Gateway | 13.1-50.23 | 13.1-51.15 or later |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
