Patch Released for Actively Exploited Flaw in Citrix/NetScaler ADC and Gateway

Patches have been released to fix three vulnerabilities in NetScaler Application Delivery Controller (ADC) and Gateway (Citrix ADC and Citrix Gateway), including one critical vulnerability that is being actively exploited in the wild.

The actively exploited vulnerability is tracked as CVE-2023-3519 and has a CVSS v3.1 severity score of 9.8/10. The flaw can be exploited remotely by an unauthenticated attacker to execute arbitrary code and take control of an affected system. In order for the vulnerability to be exploited the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

According to Netscaler, the vulnerability affects the following Netscaler/Citrix ADC and Netscaler/Citrix Gateway:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

The other two vulnerabilities are rated high severity and are a reflective cross-site scripting (XSS) vulnerability – CVE-2023-3466 (CVSS 8.3) and a privilege escalation vulnerability – CVE-2023-3467 (CVSS 8.0). The XSS flaw can be exploited if a user accesses an attacker-controlled link in the browser while being on a network with connectivity to the NSIP. For the privilege escalation flaw to be exploited, an attacker would need authenticated access to NSIP or SNIP with management interface access and would allow privilege escalation to root administrator (nsroot). Active exploitation of these two vulnerabilities has not been detected at the time of patch release.

The vulnerabilities have been fixed in the following NetScaler versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Since one of the vulnerabilities is being actively exploited on unpatched appliances, the update should be performed as soon as possible. Customers who are still using version 12.1 of NetScaler ADC or NetScaler Gateway should ensure they upgrade their appliances to a supported version since version 12.1 has reached end-of-life.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of