CVE-2023-4966
CRITICAL · 9.4 KEV EPSS 100.0%KEV-listed; near-perfect EPSS; active exploitation confirmed; posts conflate with newer variant but underlying vuln widely exploited.
What: Sensitive information disclosure in Citrix NetScaler ADC/Gateway (VPN, ICA Proxy, CVPN, RDP Proxy, AAA virtual servers) via pre-auth memory overread; CVSS 9.4 CRITICAL, EPSS 0.99999.
Why it matters: KEV-listed 2023-10-18; EPSS near-perfect exploitation likelihood; unauthenticated attackers can extract credentials and session data from memory without login. Active exploitation observed in wild since October 2023.
Where it's seen: Social posts reference "CitrixBleed" and a different CVE (CVE-2026-8451), suggesting confusion or misattribution; however, CVE-2023-4966 itself drove massive remediation waves and vendor patches in Q4 2023–Q1 2024.
RISK: CRITICAL — Pre-auth memory leak enabling credential theft; thousands of internet-facing NetScalers vulnerable; exploitation trivial.
Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Affected versions
- citrix/netscaler_application_delivery_controller
- 12.1 – < 12.1-55.300
- 13.0 – < 13.0-92.19
- 13.1 – < 13.1-37.164
- 13.1 – < 13.1-49.15
- 14.1 – < 14.1-8.50
- citrix/netscaler_gateway
- 13.0 – < 13.0-92.19
- 13.1 – < 13.1-49.15
- 14.1 – < 14.1-8.50
Weaknesses
Vendors
- citrix
Products
- netscaler_application_delivery_controller
- netscaler_gateway