Users of Citrix’s NetScaler ADC and NetScaler Gateway (formerly Citrix ADC and Citrix Gateway respectively) appliances should patch as soon as possible, with the vendor announcing a zero-day vulnerability that is under exploitation.
The vulnerabilities only affect customer-managed appliances; Citrix-provided cloud services or Adaptive Authentication services are not affected.
In its advisory, Citrix noted that the most serious vulnerability is CVE-2023-3519, which can be exploited by an unauthenticated attacker to get remote code execution.
To be vulnerable, the advisory stated, the appliance has to be configured “as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy); or as an AAA virtual server”.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed”, the advisory stated.
The affected product versions are as follows: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13; NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13; NetScaler ADC 13.1-FIPS before 13.1-37.159; NetScaler ADC 12.1-FIPS before 12.1-55.297; and NetScaler ADC 12.1-NDcPP before 12.1-55.297.
NetScaler ADC and Gateway 12.1 is vulnerable, but is end-of-life and won’t be patched.
The other two vulnerabilities are CVE-2023-3466, a reflected cross-site scripting vulnerable that’s only exploitable with victim interaction; and CVE-2023-3467, a privilege escalation bug.
_(37).jpg&h=140&w=231&c=1&s=0)
_(36).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Melbourne Cloud & Datacenter Convention 2026
_(1).jpg&h=140&w=231&c=1&s=0)
