NetScaler trusts snprintf, leaks adjacent heap memory

CVE-2023-4966. CVSS 9.4. NetScaler ADC and Gateway. An out-of-bounds read that leaks session tokens directly out of appliance memory. It was weaponised in the wild for weeks before anyone called it Citrix Bleed. No malware. No dropped binary. No authentication log. That is the template the #silentsunday thread on infosec.exchange keeps circling back to - flaws that are already being exploited and produce almost nothing a defender is watching for.

The framing in the thread is correct. The silence is not the interesting part. The exploitation is. A vulnerability that emits no telemetry is not a future problem. It is a current one, already in use against targets that cannot see it happening. Attackers are not sitting on theoretical primitives. They are running known n-days against devices defenders do not instrument and do not hunt.

Start with the mechanism, because the silence is a property of the bug class, not an accident. Citrix Bleed is a length-handling defect in the appliance’s handling of the OpenID Connect discovery endpoint. The code builds a response using snprintf and then trusts the function’s return value as the number of bytes to emit back to the client. snprintf returns the number of bytes it would have written had the buffer been large enough, not the number actually written. With an oversized hostname in the request, the computed length exceeds the buffer, and the appliance returns adjacent heap memory in the response body. That neighbouring memory holds active session tokens. The primitive is a memory disclosure - a read, not a write. No corruption. No crash in the common path. Nothing to log, because a successful read of valid memory is not an error condition.

The exploit path follows directly. The attacker sends the malformed request repeatedly, harvesting whatever session material happens to sit in the leaked region. Each valid token is replayed into the gateway. The session is already authenticated, so MFA is irrelevant - the multi-factor check happened before the token existed, and the token represents the post-authentication state. MITRE T1190, exploitation of a public-facing application, gets the attacker the token. T1078, valid accounts, is what the replay becomes. From the appliance’s perspective, a legitimate user is resuming an established session. No credential was guessed. No second factor was prompted. The trust boundary was never crossed in a way the device records.

This is the same shape across the edge-device n-day set. Ivanti Connect Secure, CVE-2023-46805 (auth bypass, CVSS 8.2) chained with CVE-2024-21887 (command injection, CVSS 9.1), exploited by UNC5221 before the patch shipped. Fortinet FortiOS SSL-VPN, CVE-2024-21762, an out-of-bounds write reachable pre-authentication. PAN-OS GlobalProtect, CVE-2024-3400, CVSS 10.0, command injection exploited as a zero-day by a cluster Volexity tracked as UTA0218. Cisco IOS XE, CVE-2023-20198, CVSS 10.0, web UI privilege escalation that produced tens of thousands of implanted devices in days. Every one of them sits at the network edge. Every one terminates TLS, holds session state, and runs a proprietary OS where a host EDR agent cannot be installed. Every one was mass-exploited inside the disclosure-to-patch window, several before disclosure existed at all.

The real-world use is documented, not hypothetical. Citrix Bleed is named in CISA advisory AA23-325A as the entry vector for LockBit 3.0 affiliates. The Industrial and Commercial Bank of China’s US arm was hit through it, disrupting Treasury market settlement. Boeing’s parts and distribution business was breached through it. Comcast Xfinity disclosed exposure of data on roughly 36 million customers traced to it. DP World Australia - port operator, critical infrastructure under the SOCI Act - halted container movement across multiple terminals after an intrusion linked to the same flaw. That is the operational reality of a silent vulnerability. The bug is boring. The blast radius is national.

What defenders actually see is the core of the problem. The appliance is FreeBSD-derived and runs the packet engine as nsppe. No agent runs alongside it. The disclosure primitive is a read, so there is no process creation, no file write, no Sysmon Event ID 1, no Event ID 11. The malformed request reaches the device over TLS and looks like a slightly unusual GET. If the appliance forwards logs at all, the request may appear, but the response - the part that leaked memory - does not get logged with its body. The session replay that follows arrives as a fully authenticated session and is indistinguishable, at the transport layer, from a legitimate user returning to their gateway. The SIEM sees an established session. It does not see a new authentication, because there was none.

The signals that do exist are correlation signals, not single events. The same session token presenting from two distinct source IPs or two distinct ASNs inside a short window. Geo-velocity that is physically impossible - a session active from one country and then another within minutes. A session that appears in gateway state with no preceding AAA authentication event. nsppe core dumps, if the out-of-bounds read ever faults into unmapped memory, which is the one place the silent bug occasionally makes noise. None of these fire unless edge-appliance syslog is forwarded to the SIEM and a correlation rule exists to join session identity against source telemetry. In most environments neither precondition holds. The appliance is treated as infrastructure, not as a monitored host, and its logs terminate locally on a device with limited retention.

That gap is the entire attacker advantage. The devices that sit at the trust boundary are the devices least likely to be instrumented. They cannot run the EDR that covers the rest of the estate. They are administered by network teams, not security teams. They are assumed hardened because they are appliances from a security vendor. Attackers prioritise exactly these because the exploitation produces minimal forensic residue and the defender is not looking. The same dynamic showed up in the Okta support-system compromise in 2023, where stolen session tokens lifted from uploaded HAR files were replayed against downstream tenants - Cloudflare among them detected the follow-on intrusion only because it instrumented session reuse and caught tokens being used from infrastructure that had no business holding them. Detection of token replay is possible. It is just rarely built before the incident.

The close is the part the advisories underplay. Patching the firmware closes the read. It does not invalidate the tokens already taken. Citrix’s fix corrected the length handling, but every session token exfiltrated before the patch remained valid until the operator explicitly terminated active sessions - kill icaconnection -all and termination of AAA and PCoIP sessions - and rotated anything those sessions could reach. Organisations that patched and stopped were re-entered through tokens harvested days earlier. The residual exposure is the harvested state, and the firmware update does nothing to it. The same is true for the Ivanti and PAN-OS cases - post-exploitation persistence and stolen material survive the patch boundary, and remediation that stops at the version bump leaves the attacker’s existing access intact.

The detection that matters is built on session identity, not exploit signatures. Forwarding edge-appliance syslog to the SIEM is the precondition. Correlating a single session token against multiple source ASNs, joining session presence against the absence of a preceding authentication event, and flagging impossible geo-velocity are the rules that catch replay regardless of which CVE delivered the token. Hunting the edge device as a monitored asset, rather than as trusted plumbing, is what converts a silent vulnerability into an observable one. Active exploitation of this class belongs with the incident response team and, for SOCI-regulated operators in Australia, inside mandatory reporting timelines - not in a backlog.

The #silentsunday thread reduces to one technical claim. A vulnerability that emits nothing is not low-risk. It is the inverse. The absence of telemetry is the feature attackers are selecting for, and the n-day against an uninstrumented edge device is the cheapest reliable access on the market. The flaw is known. The patch exists. The exploitation is already happening in the gap between the two, in the one place the defender is not looking.

---

#ad Contains an affiliate link.