Multiple threat actor groups [1] [5] [6], including affiliates of the LockBit 3.0 ransomware group [6], have been actively exploiting the Citrix Bleed vulnerability (CVE-2023-4966) in Citrix’s NetScaler web application delivery control and NetScaler Gateway appliances [6]. This has prompted several cybersecurity agencies to issue a joint advisory warning organizations about the ongoing exploit of this vulnerability.


The US Cybersecurity and Infrastructure Security Agency (CISA) [1] [2] [3] [4] [7], Federal Bureau of Investigation (FBI) [1] [3] [4], Multi-State Information Sharing and Analysis Center (MS-ISAC) [1] [3] [4] [7], and Australian Cyber Security Center (ACSC) have collaborated to issue a joint cybersecurity advisory [7]. The advisory provides detailed information on the tactics, techniques [1] [2] [6] [7], and procedures used by ransomware attackers [7], as well as indicators of compromise for targeted organizations to investigate [6]. Mandiant [3] [4] [5], a cybersecurity firm, has also identified four different uncategorized (UNC) groups involved in exploiting the vulnerability [3] [4], targeting various industry verticals globally [3] [4].

LockBit hackers are specifically exploiting the Citrix Bleed vulnerability to deploy ransomware [5], as highlighted in the joint cybersecurity advisory. This vulnerability, tracked as CVE-2023-4966 [5], was discovered in Citrix’s NetScaler ADC and NetScaler Gateway [2] [5] [8]. Cybersecurity researchers from Mandiant have warned that government institutions and legal organizations globally are being targeted by hackers using Citrix Bleed. It is crucial for all Citrix users to apply the available patch immediately to prevent exploitation by multiple threat actors.

The advisory also emphasizes that LockBit is the most deployed type of ransomware globally and is commonly used in conjunction with the Citrix Bleed vulnerability [7]. LockBit attackers have targeted organizations across various sectors [1] [7], including critical infrastructure [1] [7], government [5] [7], manufacturing [7], and education [7]. Network defenders are urged to detect and respond to any malicious activity on their systems [7]. If a compromise is detected [7], organizations should follow incident response recommendations [7], and if no compromise is found [7], organizations should promptly apply available patches [7]. Citrix released a patch for the vulnerability in October [2], but exploitation has been observed since August [2]. The recent wave of ransomware attacks linked to Citrix Bleed has targeted both large organizations and small- and medium-sized businesses [2]. Federal authorities have released a detailed analysis of the exploitation techniques used in these attacks [2]. Citrix has urged customers to upgrade to the most recent builds and take recommended mitigation steps [2].


The ongoing exploitation of the Citrix Bleed vulnerability by multiple threat actor groups, particularly those affiliated with the LockBit 3.0 ransomware group, poses significant risks to organizations globally. It is imperative for Citrix users to promptly apply the available patch to prevent potential ransomware attacks. The joint cybersecurity advisory [1] [5] [7], along with the detailed analysis provided by federal authorities, offers valuable insights and guidance for organizations to detect, respond to [1] [7], and mitigate any malicious activity [7]. As ransomware attacks continue to evolve, organizations must remain vigilant and prioritize cybersecurity measures to safeguard their systems and data.