Industry Letter

Date: November 14, 2023

To: Chief Information Security Officers of All Regulated Entities

Re: Cybersecurity Threat Alert - Citrix Bleed Vulnerability


The New York State Department of Financial Services (DFS) alerts all regulated entities to take immediate action to investigate and, if applicable, to mitigate the following cybersecurity threat.

On November 7, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance for addressing a critical vulnerability designated as CVE-2023-4966 which impacts multiple versions of Citrix NetScaler ADC and Gateway products. The vulnerability, also known as Citrix Bleed, could allow a cyber actor to take control of an affected system.

Threat actors are actively exploiting this vulnerability. According to Citrix’s website, there are reports of session hijacking and targeted attacks. Citrix strongly urges all affected users to immediately install recommended builds and to terminate and clear all active and persistent sessions. Please refer to the Citrix Security Blog for details and the necessary commands.

An additional vulnerability has been found in customer-managed instances of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) CVE-2023-4967.

Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.

DFS advises all regulated entities to assess promptly the risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and to take action to mitigate risk. As you assess risk, we recommend reviewing the CISA Alert and the Citrix Security Bulletin and Security Blog.

Regulated entities are reminded to report Cybersecurity Incidents that meet the criteria of 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest via the secure DFS Portal. As of December 1, 2023, regulated entities who decide to make cyber extortion payments must report such payments to DFS within 24 hours and within 30 days provide a description of the rationale for, and diligence undertaken in connection with, making such payment. For more information, visit DFS’s Cybersecurity Resource Center.

If others in your organization should receive this cybersecurity information, please forward this email. Additional interested parties may also opt-in to receive "Cybersecurity Updates" from DFS.