Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control and Gateway appliances to obtain initial access to target environments. ""Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control and Gateway appliances,"" the agencies said. Tracked as CVE-2023-4966, the vulnerability was addressed by Citrix last month but not before it was weaponized as a zero-day, at least since August 2023. It has been codenamed Citrix Bleed. Shortly after the public disclosure, Google-owned Mandiant revealed it's tracking four different uncategorized groups involved in exploiting CVE-2023-4966 to target several industry verticals in the Americas, EMEA, and APJ.