Timeline of Citrix Bleed and CTS Issue

Here’s a timeline of the events related to the CTS cyberattack and the Citrix vulnerability (CitrixBleed):

Pre-October 17, 2023

Hackers initiate their attack by scanning external networks of target organisations, specifically looking for devices vulnerable to the CitrixBleed exploit. The exploitation of the CitrixBleed vulnerability allows threat actors to bypass password requirements and multifactor authentication, leading to session hijacking on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. 


October 17, 2023

 GreyNoise, a company that analyses scanning by IP addresses, begins tracking the Citrix Bleed exploit. They report seeing 335 unique IP addresses attempting to use the exploit since this date.


October 23, 2023

Citrix updates its guidance, recommending not only patching but also “killing all active and persistent sessions”.


November 1, 2023

 Palo Alto’s Unit 42 teams report that at least 6,000 IP addresses appeared vulnerable to the CitrixBleed exploit, with the largest number of these devices located in the US, as well as in Germany, China, and the UK.


November 22, 2023 (approx.)

The cyberattack on CTS, linked to the CitrixBleed vulnerability, begins to significantly impact the operations of UK law firms, disrupting their ability to access case files and affecting real estate transactions.



November 27, 2023

Reports reveal that more than 80 UK law firms, especially those specialising in conveyancing, are affected by the CTS cyberattack, which is linked to the recent CitrixBleed attacks, allegedly orchestrated by the LockBit ransomware group. CTS issues an official update titled “Update on Service Outage” on its website.


Post-November 27, 2023

 CTS, in collaboration with a global cyber forensics firm, works on an urgent investigation into the incident and efforts to restore services. The exact timeline for full restoration remains unclear although CTS are now providing some firms access to their environments.

This timeline demonstrates the rapid development and widespread impact of the CitrixBleed vulnerability and the subsequent CTS cyberattack. It highlights the importance of timely software updates and robust cybersecurity practices to mitigate such threats.