New zero-days in Citrix NetScaler ADC, Gateway under attack

The new vulnerabilities come four months after a variety of threat actors exploited the 'Citrix Bleed' zero-day flaw in NetScaler ADC and Gateway products.

Citrix's NetScaler ADC and NetScaler Gateway products are under attack again, courtesy of two new zero-day vulnerabilities that are being actively exploited.

The zero-day flaws, tracked as CVE-2023-6549 and CVE-2023-6548, were disclosed and patched Tuesday. CVE-2023-6549 is a high-severity denial-of-service vulnerability with an 8.2 CVSS score, while CVE-2023-6548 is a medium-severity flaw with a 5.5 CVSS score that allows an authenticated attacker to remotely execute code on management interfaces.

In a security advisory, Citrix warned that exploits were observed in the wild. The software company "strongly urges" customers to apply updates immediately for all affected versions, which include the following:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35.
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15.
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21.
  • NetScaler ADC 13.1-FIPS before 13.1-37.176.
  • NetScaler ADC 12.1-FIPS before 12.1-55.302.
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302.

Citrix's Cloud Software Group also "strongly recommends that network traffic to the appliance's management interface is separated, either physically or logically, from normal network traffic."

NetScaler ADC and NetScaler Gateway products came under attack last year through a different zero-day flaw commonly known as "Citrix Bleed." Tracked as CVE-2023-4966, the critical vulnerability was first disclosed and patched on Oct. 10. However, Mandiant reported the following week that the vulnerability, which can be exploited to hijack existing sessions, had been exploited in the wild since August.

Attacks on Citrix Bleed ramped up as the year progressed, with various threat actors exploiting the flaw. For example, the notorious and prolific LockBit ransomware gang exploited the flaw against several organizations, including aerospace giant Boeing.

The latest zero-day flaws don't appear to be as dangerous, according to Tenable research engineers Satnam Narang and Scott Caveza. "The impact from these two new zero-day vulnerabilities is not expected to be as significant as CitrixBleed," Narang and Caveza wrote in a blog post. "Nonetheless, organizations that do use these appliances in their networks should apply the available patches as soon as possible."

The researchers also said that while no proof-of-concept exploit had been made public yet, they expected malicious code to become available soon, based on the zero-day activity as well as the history of exploitation against NetScaler ADC and NetScaler Gateway flaws.

It's unclear how many organizations have been affected by exploitation of the two zero-days. TechTarget Editorial contacted Citrix for additional comment, but the company had not responded at press time.

Rob Wright is a longtime technology reporter who lives in the Boston area.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing