A critical remote code execution flaw affecting Citrix's NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) has been exploited in the wild, and customers are advised to patch immediately.
The vulnerability, CVE-2023-3519, is an unauthenticated remote code execution bug and is among three disclosed in a Citrix security bulletin Tuesday. It has a "critical" severity CVSS score of 9.8. The other two are reflected cross-site scripting vulnerability CVE-2023-3466 (CVSS score 8.3) and privilege escalation to root administrator flaw CVE-2023-3467 (CVSS score 8).
Regarding CVE-2023-3519, Citrix said in its bulletin, "Exploits of CVE-2023-3519 on unmitigated appliances have been observed." No other technical details were listed for the flaw other than that the relevant appliance must be configured as a gateway or a AAA virtual server.
Citrix has not responded to TechTarget Editorial's request for comment at press time.
UPDATE 8/3: The Shadowserver Foundation, a cybersecurity nonprofit, has been scanning for Citrix ADC and Gateway IP addresses that are vulnerable to CVE-2023-3519 and have been compromised by web shell installation. According to a Wednesday tweet from the organization, 581 instances have been compromised as of Aug. 1.
The following versions of NetScaler ADC and Gateway are affected:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Customers are urged to update to relevant versions of ADC and Gateway:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Citrix said in its advisory that NetScaler ADC and NetScaler Gateway version 12.1 are considered end-of-life and therefore vulnerable.
In a blog post breaking down the flaws, Rapid7 head of vulnerability research Caitlin Condon wrote that the NetScaler ADC/Gateway product line "is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly.
"Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur," she wrote.
Alexander Culafi is a writer, journalist and podcaster based in Boston.