Businesses are being urged to apply a crucial patch as a critical information-disclosure bug affecting some Citrix Netscaler appliances faces “mass exploitation” by cyber criminals.

On 10 October, US-based cloud computing company Citrix disclosed a flaw in its Netscaler Application Delivery Controller and Netscaler Gateway remote access products.

The flaw – tracked as CVE-2023-4966 and dubbed “Citrix Bleed” by security communities – enables attackers to access a target device’s memory and locate session tokens in order to impersonate legitimate users – effectively exposing enterprise networks to malicious access.

Carrying a severity rating of 9.4 out of 10, the vulnerability further enables attackers to bypass multi-factor authentication (MFA), as the session tokens being exposed are assigned to devices which have already successfully provided credentials, including those using MFA.

“If exploited, CVE-2023-4966 can result in unauthorised data disclosure,” Citrix wrote.

“We now have reports of incidents consistent with session hijacking and have received credible reports of targeted attacks exploiting this vulnerability.”

Citrix, which services more than 400,000 companies around the world including 99 per cent of the Fortune 500, issued a patch for the flaw on 10 October – but experts report many businesses are yet to install it.

Non-profit security organisation Shadowserver detected around 5,500 public-facing Citrix devices still vulnerable as of 30 October, while threat intelligence company GreyNoise has observed 160 unique IP addresses attempting to exploit the flaw between 2 October and now.

According to Chris Duggan, director of cyber threat intelligence at cyber security solutions provider KryptoKloud, the IP addresses themselves have been linked to initial access brokers (threat actors that infiltrate systems and networks, then sell unauthorised access to other malicious actors), as well as notorious ransomware groups AlphV and BlackBasta.

Businesses urged to patch

Given the severity of the flaw and that the relevant patch has been available for over three weeks, Citrix and security experts are urging system administrators to patch the flaw immediately.

For many businesses the damage might already be done, as researchers from Google-owned cyber security firm Mandiant claim to have found evidence of Citrix Bleed being exploited since late August.

“A threat actor could utilise this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment,” said Mandiant.

Furthermore, security expert Kevin Beaumont – who claims to have tracked more than 20,000 exploited servers as of Saturday – suggests applying a patch may not be enough due to the misappropriated session tokens still persisting.

Citrix later echoed this in a blog post recommending users “kill” all active and persistent sessions to prevent future abuse of misappropriated session tokens.

Beaumont describes the vulnerability as being under “mass exploitation” and reports most organisations have not applied the much-needed patch.

“A fun #CitrixBleed stat is over half of orgs haven’t patched still,” said Beaumont. “That includes telcos, electric companies, food companies, governments etc.

“The CISA requirement to patch in USG is in mid-November.”

This week, Minister for Cyber Security Clare O’Neil voiced disappointment over Australian businesses that fail to patch software in a timely manner.

“The vast majority of cyber attacks are completely preventable, if you take pretty straightforward steps,” said O’Neil.

“Regular patching is one of them.”

O’Neil cited another Citrix vulnerability which has had patches available for almost a year.

“We’re continuing to see cyber incidents due to the Citrix vulnerability where patches have existed for almost a year,” she said.

“We’ve made great progress on cyber but we’re still seeing plenty of examples where basic hygiene isn’t being looked after.”