Citrix warns of critical vulnerability in NetScaler ADC and Gateway

Citrix warns of a critical vulnerability in NetScaler ADC and NetScaler Gateway. Hackers can use that vulnerability to remotely execute code without authentication. This is a leak that is abused in practice. A patch is available.

Citrix released patches this week for three vulnerabilities, one of which is classified as critical. This zeroday, which is tracked under CVE-2023-3519, according to Citrix, makes it possible to execute code remotely without authentication. Hackers can exploit that vulnerability if the vulnerable system is configured as a gateway, such as a VPN or ICA proxy, or an “AAA virtual server.” The vulnerability has a CVSS score of 9.8 out of 10.

Citrix has released updates that fix the vulnerabilities. Organizations are urged to install the patches as quickly as possible. The updates have been incorporated into several new versions of NetScaler ADC and Gateway:

• NetScaler and NetScaler Gateway 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

The two services that are vulnerable are mainly used by companies. NetScaler ADC, formerly Citrix ADC, is used by companies as an application delivery controller to manage network traffic. With NetScaler Gateway, company employees can remotely access applications and the company intranet, for example.