Threat Advisory

Critical Security Zero Day Vulnerabilities in Critix products – NetScaler ADC and NetScaler Gateway

August 4, 2023 | By Accorian

Citrix, a leading technology company, has issued a warning to its customers about a critical-severity RCE vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The severity of the issue is highlighted as critical and a CVSS score of 9.8. The exploits for this vulnerability are out in the wild and an adversary can use it to exploit Critix ADC versions up to 13.1 build 48.47.1.

If this vulnerability is not fixed, adversaries would be able to exploit it to execute remote code without any authentication. The vulnerable appliance must, however, be set up as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an authentication virtual server (often known as the AAA server), for attackers to take advantage of this security weakness.

Along with this Critix also addressed two other vulnerabilities: Reflected Cross-Site Scripting (CVE-2023-3466) and Privilege Escalation (CVE-2023-3467). Both being critical vulnerabilities, have a severity score of 8.3 and 8.0 respectively. The reflected cross-site scripting (XSS) issue requires a victim to load a link from an attacker on the same network. The Privilege Escalation vulnerability enables attackers to elevate privileges to those of a root administrator if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface.

Accorian strongly recommends the users of NetScaler ADC and NetScaler Gateway to update to the latest versions to fix all three issues at hand. The recommended versions are:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Source: New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com)

Threat Advisory

Team Accorian

Recent Post

Ready to Start?

Ready to Start?​


Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide