basicsecurity.net
Proof, not just disclosure.
Outcomes / Keys to the kingdom / Story of the week
Story of the week Outcome 2 · Keys to the kingdom Selected 2026-W25 · newsworthiness 12.6 · curated from the public record

A leak in the front door: how Citrix Bleed became a ransomware crew’s favorite way in

An unauthenticated attacker reads valid session tokens straight out of a NetScaler appliance’s memory — then logs in as your users, MFA and all. A named ransomware group industrialized it. Here is the whole path, with a source for every claim.

1Front door
Unauthenticated access
2Keys to the kingdom
Identity takeover
3Lateral reach
Not asserted in record
4Data at risk
Exfiltration
5Lights out
Disruption & extortion
Front doorKeys to the kingdomData at riskLights outRansomware-confirmedNamed actor
How this was written

This story is human-authored and cited. Every fact below — the CVE, the KEV listing, the LockBit 3.0 attribution, the fixed builds, the mechanism — is lifted unchanged from the cited public record and footnoted to its source. The connective narrative that strings those facts into a story is editorial framing; no live LLM wrote it. Each paragraph below carries a src: micro-line naming the sources it leans on and flagging where the framing is editorial. Where the framing is editorial rather than directly sourced, the Coverage section says so.audit artifact → model_id · prompt_version · input_sha256 · tsthe literal derivation trail — public-safe (no raw source text, no secrets); records only what the editor/model was given and what it emitted.

01

The story

— from one crafted request to a ransom note

It does not begin with a phishing email or a stolen password. It begins with a single crafted HTTP request to a box that thousands of organizations deliberately put on the public internet: a Citrix NetScaler ADC or Gateway, the appliance that fronts their remote access.

src: framing — editorial scene-set over the cited mechanism (Assetnote7, Citrix5).

The flaw is narrow and brutal. NetScaler ADC and Gateway fail to bound a memory buffer — the weakness NVD maps to CWE-1191 — and an unauthenticated attacker can read valid session tokens straight out of that memory7. No credentials. No malware on the box. Just a request, and a reply that contains someone else’s live session. Citrix tracks it as CVE-2023-4966 and rates it 9.45; the security industry named it Citrix Bleed, and the name stuck because the appliance bleeds its own secrets.

src: CVE→CWE-119 mapping — NVD1; token-read PoC — Assetnote7; CVSS 9.4 & identifier — Citrix5; framing — editorial.

What makes a memory-disclosure bug a board-level event is what the token unlocks — and that is why this story’s headline outcome is Keys to the kingdom, not merely the front door. A hijacked session is replayed to authenticate as a real user, and because that session already cleared multi-factor authentication, MFA is not defeated, it is skipped entirely — the session-hijacking finding Mandiant’s incident responders documented6. The control most organizations treat as their backstop never gets a vote. From a foothold inside a trusted identity, the path runs toward administrative and domain control.

src: session-replay / MFA-skip IR finding — Mandiant6; choice of headline outcome & path-onward — editorial (†).

This did not stay theoretical for long. CISA added Citrix Bleed to its Known Exploited Vulnerabilities catalog on 2023-10-18 and flagged it for known ransomware use3. Incident responders at Mandiant observed exploitation in the wild as early as late August 2023 — weeks before the catalog entry6. The window between “quietly exploited” and “publicly known” is exactly the window defenders never see.

src: KEV listing + ransomware flag — CISA KEV3; in-the-wild-since late-Aug-2023 — Mandiant6; framing — editorial.

Then it was industrialized. In a dedicated #StopRansomware advisory, CISA, the FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware4. This is the part that turns a patch ticket into a budget line: a named crew, with a documented playbook, running this exact path against peer organizations. And it is not a single-actor tool — responders attribute Citrix Bleed exploitation beyond LockBit, across multiple sectors6. Treat it as a broadly-held capability.

src: LockBit 3.0 attribution + ransomware playbook — CISA AA23-325A4; broader-than-LockBit, multi-sector — Mandiant6; framing — editorial.

The uncomfortable epilogue is in the remediation. Patching alone does not close the door: tokens stolen before the fix stay valid after it. Mandiant and CISA direct defenders to terminate all active and persistent sessions — not just upgrade the build — and to hunt for prior compromise on any appliance that was exposed and unpatched in the gap6. The fix is an incident-response action, not a maintenance window.

src: kill-sessions remediation + hunt-prior-compromise — Mandiant6 / CISA4; framing — editorial.
02

The attack path, stage by stage

— how far they get, in the record’s own words
1

Front door — unauthenticated access narrative 1

AttackerNo credentials, no phishing. I send crafted requests to an internet-facing NetScaler and read live session tokens out of memory.
BusinessThis is where the incident starts — at your own remote-access appliance. Assume-breach planning begins at this exact exposure.
2

Keys to the kingdom — identity takeover narrative 2

AttackerI replay a hijacked session to authenticate as a real user — bypassing MFA entirely, because the session already cleared it — and pivot toward admin and domain control.
BusinessYour MFA didn't fail; it was skipped. One exposed appliance becomes trusted access into the environment behind it.
4

Data at risk — exfiltration narrative 4

AttackerWith valid sessions and lateral reach, I locate and exfiltrate the data that defines your liability before anyone notices the foothold.
BusinessBreach notification, regulatory exposure, and loss of customer or proprietary data — the part that outlives the incident.
5

Lights out — disruption & extortion narrative 5

AttackerI deploy ransomware across what I now control and hold operations for ransom — the exact LockBit 3.0 playbook for this exploit.
BusinessDowntime, ransom demand, and reputational damage. Because a named crew already runs this path against peer organizations, this is a forecast — not a hypothetical.

The stages above are the record’s own narratives[] framing. The attacker→business framing and the ordering of stages are an editorial derivation over the record’s cited evidence, not a per-edge citation — see Coverage.

03

Who runs this path

— named, advisory-backed attribution only
LockBit 3.0 affiliates Ransomware

CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.4

Additional ransomware & criminal groups Multiple

Incident responders attribute Citrix Bleed exploitation beyond LockBit, including other ransomware and extortion crews, across multiple sectors. Treat this as a broadly-held capability, not a single-actor tool.6

Credit where the work was done — we link, we don’t republish

We did not discover this mechanism. We host no advisory, paraphrase no finding as our own, and redistribute no proof-of-concept code. The public, weaponized technical analysis that demonstrated token extraction with a single crafted request is the work of Assetnote; the in-the-wild timeline, the session-hijack / MFA-skip finding, and the “patching is not enough” remediation are Mandiant’s; the actor attribution is CISA / FBI / MS-ISAC’s. Read their work directly — the synthesis above exists only to point you at it.

Scout · research/PoC Assetnote7Scout · IR/telemetry Mandiant6Scout · attribution CISA / FBI / MS-ISAC4

These map to our contributor profiles — /contributors/assetnote · /contributors/mandiant · /contributors/cisa — where every record we credit to them is aggregated.

04

Coverage & confidence

— what we know, and what we don’t

Established (cited)

  • KEV listing + ransomware flag (CISA3)
  • LockBit 3.0 attribution (CISA/FBI/MS-ISAC4)
  • Weaponized public PoC (Assetnote7)
  • Session-hijack / MFA-skip IR finding (Mandiant6)
  • Mechanism + CWE-119 mapping (NVD1) & fixed builds (Citrix5)
  • Coverage gaps — stated, not hidden

  • Narrative framing is editorial. The stage-by-stage attacker→business path, the ordering of stages (including the jump from identity takeover straight to data-at-risk, since stage 3 lateral reach is not asserted), the choice of “Keys to the kingdom” as the headline outcome, and the connective story prose are an editorial framing over the record’s cited evidence — not a separately-sourced citation per edge (†).
  • Victim sectors are not enumerated as a closed list. Mandiant places exploitation across multiple sectors; we say “multiple sectors” rather than assert a crisp closed set, consistent with the incomplete-victim-list note below.
  • No EUVD / GCVE mirror located (pre-EUVD disclosure) — single-authority dependency for the identifier.
  • EPSS & live exposure counts are time-varying; we link the source rather than freeze a stale number. Full victim list is incomplete by nature — absence of a name is not absence of compromise.