Case Study: Mitigating a Zero Day exploit
Background
After the Citrix ADC remote code execution vulnerability (CVE-2023-3519) in July 2023, all clients replaced existing NetScaler 13.0 and 13.1 builds as per Tier 3 Citrix Netscaler support recommendations. The guidance provided at the time included:
| Apply the emergency firmware to all ADC’s. |
| Assume that fully patched ADCs even with emergency firmware could be compromised and that snapshots and backups could contain a backdoor. |
| Replace all production ADCs with new clean builds as soon as possible to ensure security. |
| Monitor ADC’s for Indicators of Compromise (IoC) using the Mandiant scanner tool. |
| All client Netscalers were already secured with either Duo or Okta MFA. |
Incident
In October 2023, Citrix Bleed (CVE-2023-4966) was disclosed by Citrix. Mandiant confirmed active exploitation of the zero-day since late August 2023. The flaw allowed hijacking of authenticated sessions, bypassing MFA. Hijacked sessions could persist after the update to mitigate CVE-2023-4966 had been deployed.
This exploit impacted all Netscaler builds from 12.1 to 14.1 even with upto date firmware.
Mandiant had observed exploitation at government organisations, professional services and technology businesses.
Response
Security Issues Identified:
Immediate validation against Mandiant indicators.
Recommended mitigations and firmware upgrades applied at the earliest scheduled maintenance window to all ADCs.
Post upgrading, terminate all active and persistent sessions (per appliance).
Additional scanning using the Mandiant scanner to confirm no compromise.
Active monitoring of all ADC’s.
Outcome
Proactive replacement and hardening post-CVE-2023-3519 positioned all clients for a swift, clean response. When Citrix Bleed emerged, no systems were exposed, despite the high severity and session hijack potential.
| Zero successful exploits across all client sites. |
| No production downtime or rebuilds required. |
| Security posture validated under real-world threat. |
Key Takeaway:
Clients already had monitoring in place via the Mandiant scanner tool and newly deployed Netscaler ADC’s with the latest firmware prior to the emergency release eliminating the potential of a hidden backdoor.
These incidents reinforced the importance of proactive monitoring, vendor escalation, and the willingness to replace—rather than simply patch—critical infrastructure under security crisis conditions.
Update: Citrix Bleed 2 Actively Exploited
Citrix Bleed 2 (CVE-2025-5777)
In July 2025, Citrix Bleed 2 (CVE-2025-5777) was added to the U.S. Cybersecurity & Infrastructure Security Agency (CISA’s) Known Exploited Vulnerabilities (KEV) list. This critical flaw affects NetScaler ADC and Gateway appliances, allowing attackers to bypass authentication and potentially gain unauthorized access to internal resources. Exploitation is active and the vulnerability carries a CVSS severity score of 9.2.
Unlike the original Citrix Bleed (2023), there is no public tool like Mandiant’s utility, and no confirmed Indicators of Compromise (IoCs) available at the time of writing.
If your organisation is running Citrix NetScaler ADC, immediate patching is strongly recommended in line with CISA guidance issued on 11 July 2025.
Don’t wait for a breach—get in touch for an emergency review or vulnerability scan of your Citrix Netscaler ADC infrastructure.
Contact Us
Secure. Simplify. Stay ahead.
Questions?
Secure. Simplify. Stay ahead. Contact us to future-proof your Citrix ADC deployments.