Researchers from Mandiant issued an urgent warning Tuesday that the patch for a critical vulnerability in Citrix Netscaler failed to prevent certain attacks and malicious actors are continuing to exploit the flaw.
Citrix issued a patch on Oct. 10 to address the vulnerability, listed as CVE-2023-4966, in Netscaler ADC and Netscaler Gateway, which was under active exploitation since at least August.
"When the vulnerability was made public with a patch Oct. 10, there was no indication from our customers or industry partners that an exploit existed in the wild. The vulnerability was identified internally," Citrix officials said via email.
Mandiant, however, found that organizations that have patched their systems after the release of the security update were still being hacked. Mandiant CTO Charles Carmakal is now urging organizations to terminate all active sessions.
“These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed,” Carmakal said on LinkedIn. “Therefore even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.”
Carmakal told Cybersecurity Dive that Mandiant believes the patch otherwise works, except it requires the “additional step of terminating sessions needs to be performed out of caution in case a threat actor previously exploited the vulnerability and obtained session information from the device."
Mandiant officials said successful exploitation of the vulnerability can allow hackers to hijack existing authenticated sessions and bypass multifactor authentication. Mandiant observed cases where session data was stolen prior patch deployment and later used by hackers
Already, exploitation has taken place at professional services and technology firms as well as government agencies, the firm said.
Mandiant does not know who the threat actor is, but said the hackers are focused on cyber espionage and they expect hackers with financial motivations to eventually get in on the action.
When asked for comment, officials at the Cybersecurity and Infrastructure Security Agency referred back to the Mandiant guidance.
Editor's note: This article has been updated to include a statement from Citrix and further detail when the patch works.