CVE-2023-4966
Confirmed PUBLISHEDUnauthenticated sensitive information disclosure
Recommended Action
Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
At a Glance
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
- CVE Published
- Oct 10, 2023
- Exploitation Reported
- Oct 18, 2023
- CVSS
- 9.4 Critical
- EPSS
- 100.0%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Citrix |
NetScaler ADC
|
14.1 to < 8.50 |
Affected |
| Citrix |
NetScaler ADC
|
13.1 to < 49.15 |
Affected |
| Citrix |
NetScaler ADC
|
13.0 to < 92.19 |
Affected |
| Citrix |
NetScaler ADC
|
13.1-FIPS to < 37.164 |
Affected |
| Citrix |
NetScaler ADC
|
12.1-FIPS to < 55.300 |
Affected |
| Citrix |
NetScaler ADC
|
12.1-NDcPP to < 55.300 |
Affected |
| Citrix |
NetScaler Gateway
|
14.1 to < 8.50 |
Affected |
| Citrix |
NetScaler Gateway
|
13.1 to < 49.15 |
Affected |
| Citrix |
NetScaler Gateway
|
13.0 to < 92.19 |
Affected |
CVE References
- support.citrix.com/article/CTX579459 support.citrix.com · CVE Record https://support.citrix.com/article/CTX579459
- packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leak... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Toke...
Recommended Actions
- Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
- Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2023-10-18 00:00 UTC |
| The Shadowserver | 2026-05-30 00:00 UTC |
| Tenable Blog | 2026-06-02 14:20 UTC |
| KEVIntel | 2026-07-07 07:59 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 2
- Unique Attacker IPs
- 2
- Attacker Countries
- 🇳🇱 🇺🇸
- Sensors Observed
- 2
Exploitation Attempts Over the Last 39 Days
First observed (all time) 2026-06-12 00:33 UTC · Last observed 2026-07-19 02:10 UTC
See more exploitation detail
- Pro — sensor software/region breakdown and 24h/7d window summaries.
- Enterprise — raw attacker IPs, request paths, User-Agents, and payloads.
Indicators of Compromise (IoCs)
Attacker IP IoCs observed in KEVIntel sensors are available to Pro and Enterprise accounts on the Detection tab and through the Pro API.
Learn about Pro API accessObserved Detection Signals (30d)
Aggregate counts from KEVIntel sensor telemetry for this CVE.
- Distinct request paths
- 1
- Distinct User-Agents
- 1
The specific request paths and User-Agents attackers are using are available on Pro and Enterprise plans.
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-4966.yaml | Apr 25, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Exploitation Status
Exploited in the wild
Recorded 2023-10-18 00:00:00 UTC · CISA
Active exploitation observed
Recorded 2026-06-12 00:33:14 UTC · KEVIntel sensor
Used in malware
Recorded 2023-10-18 00:00:00 UTC · CISA
Proof of concept available
Recorded 2023-10-24 17:19:32 UTC · GitHub
Weaknesses (CWE)
-
Improper Restriction of Operations within the Bounds of a Memory Buffer
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-4966.yaml | Apr 25, 2025 |
Recent Mentions
Tenable Blog · May 27, 2026
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.Key takeawaysThe "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations,...
Tenable Blog · Apr 25, 2025
Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help.BackgroundOver the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations in the immediate aftermath of disclosure or even years afterwards. Following each blog post or threat report we’ve published, I kept coming back to the same question: Why are so many organizations struggling to remediate vulnerabilities in a timely manner?As someone who followed the evolution of COVID-19 variants throughout the beginning of the pandemic, I saw that the World Health Organization (WHO) began to label new variants under a classification system as the virus began to mutate. This classification system was designed to help prioritization efforts for monitoring and research. It included accessible labels like variants of interest and variants of concern to help communicate urgency and focus global attention.I began to wonder: What if we borrowed from the same type of classification system used by the WHO and applied it to vulnerability intelligence? Numeric-based systems like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) provide mechanisms for prioritization based on scoring. However, they don’t always provide enough context to help decision makers. So, what if we used simple, clear and status-based terminology to communicate risks surrounding vulnerabilities in order to guide action?This led us to develop Vulnerability Watch, a classification system for vulnerabilities inspired by the WHO’s classification of COVID-19 variants. Vulnerability Watch is a small, but important part of Tenable’s Vulnerability Intelligence offering that was launched in 2024. Now,…
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2023-10-29 15:31:37 UTC · 9 stars
An Exploitation script developed to exploit the CVE-2023-4966 bleed citrix information disclosure vulnerability
github · Created 2023-10-27 11:00:09 UTC · 0 stars
CVE-2023-4966 - NetScaler ADC and NetScaler Gateway Memory Leak Exploit
github · Created 2023-10-25 12:37:56 UTC · 6 stars
Proof Of Concept for te NetScaler Vuln
github · Created 2023-10-24 17:19:32 UTC · 75 stars
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:33 UTC about 1 month ago00:33 UTC · about 1 month ago
Observed by KEVIntel sensors
Evidence-backed exploitation signal
-
00:33 UTC about 1 month ago00:33 UTC · about 1 month ago
Indicators of compromise added (3)
Indicators of compromise recorded
-
14:20 UTC about 2 months ago14:20 UTC · about 2 months ago
KEV confirmed by Tenable Blog
Exploitation attested by an external source
-
00:00 UTC about 2 months ago00:00 UTC · about 2 months ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
17:19 UTC over 2 years ago17:19 UTC · over 2 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC almost 3 years ago00:00 UTC · almost 3 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
00:00 UTC almost 3 years ago00:00 UTC · almost 3 years ago
First public exploitation report
Exploit observed in malware
-
13:12 UTC almost 3 years ago13:12 UTC · almost 3 years ago
CVE published
Vulnerability disclosed publicly
-
15:51 UTC almost 3 years ago15:51 UTC · almost 3 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2023-4966
{
"cve_id": "CVE-2023-4966",
"title": "Unauthenticated sensitive information disclosure",
"affected_vendor": "Citrix",
"affected_product": "NetScaler ADC, NetScaler Gateway",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.4,
"epss_score": 0.99999,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": true
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}