Researchers from Mandiant issued an urgent warning Tuesday that the patch for a critical vulnerability in Citrix Netscaler is not working and malicious actors are continuing to exploit the flaw.
Citrix issued a patch on Oct. 10 to address the vulnerability, listed as CVE-2023-4966, in Netscaler ADC and Netscaler Gateway, which was under active exploitation since at least August.
Mandiant, however, found that organizations that have patched their systems after the release of the security update were still being hacked. Mandiant CTO Charles Carmakal is now urging organizations to terminate all active sessions.
“These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed,” Carmakal said on LinkedIn. “Therefore even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.”
Mandiant officials said successful exploitation of the vulnerability can allow hackers to hijack existing authenticated sessions and bypass multifactor authentication. Mandiant observed cases where session data was stolen prior patch deployment and later used by hackers
Already, exploitation has taken place at professional services and technology firms as well as government agencies, the firm said.
Mandiant does not know who the threat actor is, but said the hackers are focused on cyber espionage and they expect hackers with financial motivations to eventually get in on the action.
When asked for comment, officials at the Cybersecurity and Infrastructure Security Agency referred back to the Mandiant guidance. A spokesperson for Citrix was not immediately available for comment.