Voyager18 (research)

Unpacking CVE-2023-3519: The Citrix NetScaler vulnerability and its impact

Citrix has patched three major vulnerabilities, including CVE-2023-3519, a critical zero-day flaw, in its NetScaler ADC and Gateway products. Here's what you need to know.

Yair Divinsky | July 27, 2023

Citrix, the renowned software company, recently patched three significant vulnerabilities (CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467) in its products, NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). One of these, CVE-2023-3519, is a critical zero-day vulnerability, currently being exploited by attackers.

Here’s everything you need to know about CVE-2023-3519:

What is CVE-2023-3519?

CVE-2023-3519 is a Remote Code Execution (RCE) vulnerability, potentially allowing an unauthenticated threat actor to execute arbitrary code on a vulnerable server. This particular vulnerability, as of now, has been seen to affect servers configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It is important to note that currently, there is no public Proof of Concept (PoC) available.

Does it affect me?

To understand if this vulnerability affects you, it’s essential to identify if you’re using any of the following versions of NetScaler ADC and NetScaler Gateway, as these have been flagged by Citrix as affected by the three patched vulnerabilities:

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13

NetScaler ADC 13.1-FIPS before 13.1-37.159

NetScaler ADC 12.1-FIPS before 12.1-55.297

NetScaler ADC 12.1-NDcPP before 12.1-55.297

Additionally, it is essential to note that version 12.1 of both NetScaler ADC and NetScaler Gateway have reached end-of-life, making them particularly vulnerable and necessitating their update to a supported version as soon as possible.

However, if you’re using Citrix-managed cloud services or Citrix-managed Adaptive Authentication, you are not required to take any action.

Has CVE-2023-3519 been actively exploited in the wild?

Yes, the CVE-2023-3519 vulnerability has indeed been actively exploited in the wild. Although there is no public PoC at present, the vulnerability’s exploitation has been observed, increasing the urgency to apply the available patches.

How to fix CVE-2023-3519

In response to these vulnerabilities, Citrix has promptly provided fixes for all affected versions, including the later releases. Therefore, the immediate action to take is to apply these patches to your Citrix installations if they fall within the affected versions.

Moreover, it is strongly recommended to upgrade NetScaler ADC and NetScaler Gateway version 12.1 to a supported version, considering its end-of-life status.

Citrix also plans to release a document containing indicators of compromise and related information, which enterprise admins can use to check if their Citrix systems have been compromised.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. CVSS v4.0 – what you need to know
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. OWASP Top 10 vulnerabilities 2022: what we learned 

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy