The story
— from one crafted request to a ransom noteIt does not begin with a phishing email or a stolen password. It begins with a single crafted HTTP request to a box that thousands of organizations deliberately put on the public internet: a Citrix NetScaler ADC or Gateway, the appliance that fronts their remote access.
The flaw is narrow and brutal. NetScaler ADC and Gateway fail to bound a memory buffer — the weakness NVD maps to CWE-1191 — and an unauthenticated attacker can read valid session tokens straight out of that memory7. No credentials. No malware on the box. Just a request, and a reply that contains someone else’s live session. Citrix tracks it as CVE-2023-4966 and rates it 9.45; the security industry named it Citrix Bleed, and the name stuck because the appliance bleeds its own secrets.
What makes a memory-disclosure bug a board-level event is what the token unlocks — and that is why this story’s headline outcome is Keys to the kingdom, not merely the front door. A hijacked session is replayed to authenticate as a real user, and because that session already cleared multi-factor authentication, MFA is not defeated, it is skipped entirely — the session-hijacking finding Mandiant’s incident responders documented6. The control most organizations treat as their backstop never gets a vote. From a foothold inside a trusted identity, the path runs toward administrative and domain control.†
This did not stay theoretical for long. CISA added Citrix Bleed to its Known Exploited Vulnerabilities catalog on 2023-10-18 and flagged it for known ransomware use3. Incident responders at Mandiant observed exploitation in the wild as early as late August 2023 — weeks before the catalog entry6. The window between “quietly exploited” and “publicly known” is exactly the window defenders never see.
Then it was industrialized. In a dedicated #StopRansomware advisory, CISA, the FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware4. This is the part that turns a patch ticket into a budget line: a named crew, with a documented playbook, running this exact path against peer organizations. And it is not a single-actor tool — responders attribute Citrix Bleed exploitation beyond LockBit, across multiple sectors6. Treat it as a broadly-held capability.
The uncomfortable epilogue is in the remediation. Patching alone does not close the door: tokens stolen before the fix stay valid after it. Mandiant and CISA direct defenders to terminate all active and persistent sessions — not just upgrade the build — and to hunt for prior compromise on any appliance that was exposed and unpatched in the gap6. The fix is an incident-response action, not a maintenance window.