Industry Letter

Date: November 14, 2023

To: Chief Information Security Officers of All Regulated Entities

Re: Cybersecurity Threat Alert - Citrix Bleed Vulnerability

The New York State Department of Financial Services (DFS) alerts all regulated entities to take immediate action to investigate and, if applicable, to mitigate the following cybersecurity threat.

On November 7, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance for addressing a critical vulnerability designated as CVE-2023-4966 which impacts multiple versions of Citrix NetScaler ADC and Gateway products. The vulnerability, also known as Citrix Bleed, could allow a cyber actor to take control of an affected system.

Threat actors are actively exploiting this vulnerability. According to Citrix’s website, there are reports of session hijacking and targeted attacks. Citrix strongly urges all affected users to immediately install recommended builds and to terminate and clear all active and persistent sessions. Please refer to the Citrix Security Blog for details and the necessary commands.

An additional vulnerability has been found in customer-managed instances of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) CVE-2023-4967.

Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.

DFS advises all regulated entities to assess promptly the risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and to take action to mitigate risk. As you assess risk, we recommend reviewing the Citrix Security Bulletin and DFS Portal. As of December 1, 2023, regulated entities who decide to make cyber extortion payments must report such payments to DFS within 24 hours and within 30 days provide a description of the rationale for, and diligence undertaken in connection with, making such payment. For more information, visit DFS’s Cybersecurity Resource Center.