Zero-Day Exploitscritical

Citrix Bleed: Authentication Bypass in Citrix ADC Used in Ransomware Attacks

CVE-2023-4966 (Citrix Bleed) allowed unauthenticated attackers to steal valid session tokens from Citrix ADC and Gateway appliances, completely bypassing all authentication including MFA. LockBit and ALPHV used it to breach Boeing, Toyota, and the Industrial and Commercial Bank of China.

Citrix / Boeing / ICBC·2023·2 min read

Background

Citrix ADC (Application Delivery Controller) and Gateway are network appliances used by thousands of large organisations for load balancing, application delivery, and VPN access. A session token theft vulnerability — dubbed Citrix Bleed — was discovered in their HTTP processing.

The Attack

Citrix Bleed exploited a buffer over-read in the handling of HTTP GET requests to the Citrix management interface. An attacker could send a crafted request that caused the appliance to return portions of its session memory, including valid authentication session tokens. These tokens allowed attackers to masquerade as authenticated users — bypassing passwords, certificates, and multi-factor authentication entirely. Attackers could then access internal network resources as if they were legitimate users. LockBit ransomware affiliates used Citrix Bleed to breach Boeing's parts distribution business, the Industrial and Commercial Bank of China (ICBC, disrupting US Treasury market trading), and Allen and Overy law firm.

Response

Citrix released patches on October 10, 2023. CISA and FBI issued an emergency advisory warning that exploitation was widespread. Critically, the advisory noted that patching alone was insufficient — existing sessions must be terminated to invalidate any stolen tokens. Many organisations patched but did not terminate sessions, leaving the stolen tokens valid.

Outcome

ICBC's hack disrupted $9 billion in US Treasury market transactions — the first time a major financial infrastructure operator was taken offline by ransomware. The case illustrated that even patching promptly is insufficient when stolen credentials remain valid.

Key Takeaways

  1. After patching authentication vulnerabilities, invalidate all active sessions — stolen tokens remain valid even after patching
  2. Citrix and similar appliances must be patched within hours of critical vulnerability disclosure
  3. Network segmentation behind VPN appliances limits damage when those appliances are compromised
  4. Financial market infrastructure connectivity to corporate networks creates systemic risk from ransomware attacks

How to Prevent This

All guides
intermediate

After patching authentication vulnerabilities, invalidate all active sessions

Patching a vulnerability is not the end of the incident. Citrix Bleed (CVE-2023-4966) allowed attackers to steal valid session tokens from Citrix ADC appliances. Many organisations patched promptly — but did not terminate active sessions, leaving the already-stolen tokens valid and usable. The advisory from CISA and FBI explicitly warned about this, but many organisations missed the step. After any patch for an authentication, session management, or access control vulnerability, invalidate all active sessions and require re-authentication. This applies to web applications, VPNs, and cloud consoles.

See: Citrix BleedPatch Management
Citrix Bleedsession token theftLockBitICBCauthentication bypass

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits