Citrix NetScaler and VMware vCenter flaws continue to drive initial access for ransomware crews. Here's the current exposure and what to do.
Two long-running CVE families continue to drive ransomware initial access in 2024: Citrix NetScaler ADC/Gateway (CitrixBleed and follow-on flaws) and VMware vCenter (multiple authentication and deserialization bugs). Both are heavily targeted because the appliances sit at the network edge or at the heart of the virtualization stack.
What's Being Exploited
- Citrix NetScaler — CitrixBleed (CVE-2023-4966) session token leakage; multiple subsequent advisories. Active session hijack against unpatched gateways.
- VMware vCenter — CVE-2023-34048 (DCERPC out-of-bounds write, pre-auth RCE) and follow-on bugs.
Recommended Response
- Patch every affected appliance to the latest fixed version.
- For NetScaler: terminate all active sessions and force reauthentication after patching — patching alone does not invalidate stolen tokens.
- Restrict management interfaces to trusted networks.
- Hunt for indicators of compromise published in the vendor advisories.
- Reset credentials for accounts that authenticated to the appliance during the exposure window.
Edge appliances are now the front line. Treat every advisory on them as a potential incident, not a maintenance ticket.
