A Citrix NetScaler RCE vulnerability addressed earlier this month has been exploited as zero-day since August 2023, cybersecurity firm Mandiant revealed.

Tracked as CVE-2023-4966, the bug is a buffer overflow issue that allows a remote attacker to execute arbitrary code on the target system by sending specially crafted data. It’s worth noting that successful exploitation of the vulnerability requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver.

The impacted versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50, 13.1 before 13.1-49.15, 13.0 before 13.0-92.19, NetScaler ADC 13.1-FIPS before 13.1-37.164, NetScaler ADC 12.1-FIPS before 12.1-55.300, NetScaler ADC 12.1-NDcPP before 12.1-55.300.

The researchers didn’t share any additional details regarding the use of CVE-2023-4966 in attacks apart from saying that they observed exploitation at professional services, technology, and government organizations. The company provided a set of recommendations on how organizations can minimize risks related to the vulnerability.

According to Mandiant Consulting CTO Charles Carmakal, simply applying the patch is not enough, organizations should also terminate all active sessions.

"These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated," Carmacal said in a blog post on LinkedIN.

Recently, security researchers have warned that hackers are targeting Citrix servers by exploiting a recently patched vulnerability (CVE-2023-3519) in Citrix NetScaler ADC and Gateway product. The attackers used the flaw to insert a malicious script appended to the legitimate “index.html” file into the HTML content of the authentication web page to capture user credentials.