Updates Urgent: Patch Application Recommended for NetScaler ADC and Gateway Users by Citrix
In a recent development, cybersecurity firm Mandiant has warned that authenticated sessions could still persist after the patch is applied for a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway. This vulnerability, identified as CVE-2023-4966, poses a significant risk to data disclosure.
Citrix has urged customers to upgrade to the latest versions of NetScaler ADC and NetScaler Gateway to address this vulnerability, as well as related issues like CVE-2025-5777 (CitrixBleed 2) and CVE-2025-6543. The urgency for prompt patching is underscored by reports of targeted attacks against the critical vulnerability.
The vulnerability is most critical when NetScaler ADC is configured as a gateway or as an AAA virtual server. However, managed cloud and Adaptive Authentication customers do not need to take additional action, according to Citrix.
The latest recommendations emphasize comprehensive monitoring, configuration hardening, and immediate application of official Citrix patches. Organizations must upgrade to the latest firmware versions of NetScaler ADC and Gateway as per Citrix advisories, such as CTX694788, CTX693420.
After upgrades, it is recommended to clear persisted sessions and restart affected services to avoid session hijacking risks. Monitoring session integrity is crucial, as some vulnerabilities leak session tokens from memory.
To detect potential exploitation attempts, security analytics tools like Splunk with Citrix integration and threat intelligence feeds can be employed. These tools can help identify distinctive attack signatures of CitrixBleed and CitrixBleed 2, which have been actively scanned globally since mid-2025.
Network-level controls and segmentation should also be used to minimize direct exposure of ADC and Gateway endpoints to untrusted networks. Reports estimate nearly 70,000 NetScaler instances are publicly accessible online, increasing the risk.
Citrix confirmed active exploit attempts for CVE-2025-6543, a memory overflow vulnerability causing potential denial of service and control flow hijacking. Organizations should patch and configure appliances to mitigate this alongside memory leak issues.
The Cybersecurity and Infrastructure Security Agency added NetScaler ADC and NetScaler Gateway to its Known Exploited Vulnerabilities catalog last week. Patches to address CVE-2023-4966 were released by Citrix on Oct. 10.
In summary, the latest recommended approach is to apply all Citrix patches for CVE-2023-4966 and related vulnerabilities promptly, validate system integrity post-upgrade, employ active detection tools for exploitation attempts, reduce public exposure of NetScaler appliances, and address session persistence carefully to prevent hijacking risks. This proactive posture is essential to mitigate ongoing and emerging threats targeting Citrix NetScaler ADC and Gateway infrastructure.
- The recent warning from cybersecurity firm Mandiant highlights the significance of cybersecurity in the face of vulnerabilities like CVE-2023-4966, which, if left unpatched, can lead to data disclosure.
- In light of the urgency to address CVE-2023-4966 and related vulnerabilities such as CVE-2025-5777 and CVE-2025-6543, technology companies like Citrix are emphasizing the importance of prompt patching, configuration hardening, and comprehensive monitoring.
- With the Cybersecurity and Infrastructure Security Agency adding NetScaler ADC and NetScaler Gateway to its Known Exploited Vulnerabilities catalog, general-news outlets and crime-and-justice sectors are highlighting the need for proactive measures to protect against cyber attacks.
