Citrix has issued an urgent alert to its customers regarding a critical-severity vulnerability, CVE-2023-3519, in its NetScaler ADC and NetScaler Gateway products. This vulnerability has already been exploited by attackers, prompting the company to strongly recommend immediate installation of updated versions to mitigate the risk. The affected appliances must be configured as gateways or authentication virtual servers for hackers to exploit the flaw.
Citrix provides a list of updated versions to address the issue and warns that devices running version 12.1 have reached end-of-life and should be upgraded to newer variants.
Earlier in July, a zero-day vulnerability for Citrix ADC was advertised on a hacker forum, and though the connection to the current security bulletin is not definitive, there are indications pointing to it.
The hacker claimed to have a remote code execution zero-day that worked on versions of Citrix ADC up to 13.1 build 48.47. Citrix has been aware of this zero-day advertisement and has been working on a patch before making the issue public. Defenders expect active exploitation to continue until Citrix releases a fix.
In addition to CVE-2023-3519, two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467, have been fixed in the updates. CVE-2023-3466 is a reflected cross-site scripting (XSS) issue, while CVE-2023-3467 allows attackers to escalate privileges to those of a root administrator.
Organizations with NetScaler ADC and Gateway appliances should prioritize updating them to protect against potential attacks leveraging these vulnerabilities. To check for potential compromises, organizations are advised to look for newer web shells, monitor HTTP error logs for anomalies, and review shell logs for any suspicious commands.