Tag
#citrix
4 posts tagged #citrix.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the NetScaler RCE doesn't tell you if a webshell is already on it
CVE-2023-3519 was an unauthenticated RCE on Citrix NetScaler used as a zero-day to drop webshells. Patching closes the hole; it doesn't remove an implant planted before you patched. With a black-box appliance, finding out is the hard part. Here's the IOC-hunt runbook.
-
Analysis · May 20, 2026 · Colten Anderson
CitrixBleed: the patch closed the leak but left the stolen keys working
CVE-2023-4966 leaked post-MFA session tokens from NetScaler. Organizations that patched and stopped there got breached anyway, because a stolen token still worked after the update. The action that mattered was killing every active session, and a lot of victims skipped it.
-
Analysis · May 20, 2026 · Colten Anderson
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler. After disclosure with no patch, a public exploit dropped and mass exploitation followed within days. It set the template for the NetScaler-as-target story that CitrixBleed later continued.
-
Analysis · May 6, 2026 · Colten Anderson
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.