VPN-CITRIX-BLEEDCredential Access

Citrix Bleed (CVE-2023-4966)

NetScaler ADC / Gateway memory disclosure — recover authenticated session tokens from gateway memory.

§ Where this technique fits

VPN-CITRIX-BLEED is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
step 2 / 6

§ What commonly comes next

01
Steal Web Session Cookie
T1539 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Citrix Bleed → steal authenticated session → MFA bypass

§ What commonly comes next