Citrix has issued a fresh warning on password spraying attacks targeting NetScaler and NetScaler Gateway appliances deployed by organizations worldwide.

The attacks appear to be related to a broad campaign that was initially detailed in April 2024, targeting VPN and SSH services from Cisco, CheckPoint, Fortinet, SonicWall, and other organizations to brute-force them.

Cisco patched a vulnerability related to these attacks in early October, and later that month Microsoft warned of password spray attacks targeting routers from multiple vendors.

Unlike brute-force attacks, in which hackers try multiple passwords for the same account, in password spray attacks they try a small set of passwords against multiple accounts.

Now, Citrix says it is aware of multiple organizations being targeted in password spraying attacks aimed at their NetScaler appliances, which could lead to denial-of-service (DoS) conditions and require urgent mitigation.

“When a NetScaler appliance is sized for handling a typical volume of authentication attempts, the high number of login attempts from large password spraying attacks can overwhelm the appliance, potentially leading to service and/or operational disruption in some cases,” Citrix said in an advisory.

The company said organizations targeted will observe a spike in authentication attempts and failures, with the traffic originating from multiple dynamic IP addresses. NetScaler appliances deployed both on-premises and in cloud infrastructure have been targeted.

The use of multi-factor authentication (MFA), Citrix says, prevents unauthorized access, but excessive logging and management CPU overload may have operational impact, and the appliance could become unstable and crash.

Citrix, which has provided indicators of compromise (IoCs) to help organizations identify these attacks, recommends enabling MFA and creating policies to block rogue authentication requests before they could be processed.

Blocking authentication requests from known malicious IP addresses, setting a short interval for log rotation to prevent their size growing rapidly and filing storage space, and enabling recaptcha on NetScaler would also help mitigate these attacks.

Related: Flaws in Industrial Routers, BGP Tool Unpatched Months After Disclosure

Related: Are Encryption and Zero Trust Breaking Key Protections?

Related: Two Popular VPNs Exposed Users to Attacks Via Fake Updates

Related: SecurityWeek ICS Cybersecurity Conference — Challenges and Solutions