Thousands of Citrix NetScaler ADC and Gateway instances remain unpatched against a critical vulnerability that is being widely exploited, security researchers warn.

The flaw, which had been exploited as a zero-day since August, is tracked as CVE-2023-4966 (CVSS score of 9.4) and is now referred to as ‘Citrix Bleed’. It allows unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or a gateway.