Citrix NetScaler ADC and NetScaler Gateway Vulnerabilities

24th July 2023

Last week Citrix confirmed three new vulnerabilities in its NetScaler ADC and NetScaler Gateway appliances. Citrix has released security updates for affected products, and has already patched Citrix-managed products.

CVE-2023-3519 (CVSS 3.1: 9.8) is an unauthenticated remote code execution vulnerability with the pre-requisite that the appliance must have been configured as a Gateway or AAA virtual server.

CVE-2023-3466 (CVSS 3.1: 8.3) is a reflected cross-site scripting (XSS) vulnerability with the pre-requisite that the victim must be on a network with connectivity to the NSIP.

CVE-2023-3467 (CVSS 3.1: 8) is a privilege escalation vulnerability with the pre-requisite for “Authenticated access to NSIP or SNIP with management interface access”.

Affected Products

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Security Updates

Citrix confirm that exploits of CVE-2023-3519 have been observed and all appliances should be updated ASAP.

• NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.