Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway

Citrix is urging organizations to immediately patch the unauthenticated RCE vulnerability.

Cyberattackers are actively exploiting a critical remote code execution (RCE) bug in several versions of Citrixs NetScaler ADC and NetScaler Gateway application delivery and remote access technologies.
The flaw does not require authentication to exploit.
Citrix issued a patch for the zero-day vulnerability, tracked as
CVE-2023-3519
, on July 18 along with a recommendation for organizations using the affected products to apply it immediately.
The US Cybersecurity and Infrastructure Security Agency (CISA) lent urgency to that recommendation by promptly adding the code-injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and giving all federal civilian executive branch agencies until August 9 to apply the patch. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise, CISA said in its decision to include CVE-2023-3519 to its catalog.
Citrix credited two researchers at Resillion for discovering and reporting the bug. The company
described the vulnerability
as allowing an unauthenticated attacker to run arbitrary code on an affected server and gave the bug a severity rating of 9.8 out a maximum possible 10. For an exploit to work, the vulnerable appliance would need to be configured as a gateway device such as a VPN virtual server, an ICA Proxy, Citrix Virtual Private Network (CVPN), RDP proxy, or an AAA virtual server, Citrix said.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for attackers in recent years because of how widely organizations are using them to secure remote workforce access to enterprise applications and data. A successful exploit can give a threat actor an initial and often highly privileged access on a target network.
CISAs KEV catalog contains 12 entries for widely exploited vulnerabilities in Citrix products alone since November 2021. The more recent ones among them include
CVE-2022-27518
, an authentication bypass vulnerability in Citrix ADC and Gateway;
CVE-2021-22941,
an improper access control flaw in Citrix ShareFile storage zones controller; and
CVE-2019-12991
, a command injection vulnerability in Citrix SD-WAN and NetScaler. Some Citrix flaws such as
CVE-2019-19781
from 2019 rank among the most heavily targeted by threat actors from
China
,
Iran,
and
Russia
.
Citrix is by far not the only target. CISA and the National Security Agency (NSA) have warned of threat actors — including nation-state backed groups — actively seeking and exploiting vulnerabilities in gateway devices from other vendors including Fortinet, Pulse, Cisco, Netgear and QNAP. In a
joint advisory from June 2022
, the two federal agencies warned of Chinese threat actors in particular targeting flaws in these products to establish a broad network of compromised infrastructure worldwide. In some instances, like one involving a Fortinet flaw in October 2022 (
CVE-2022-40684
), threat actors have compromised networks by exploiting a vulnerability in a gateway device and then sold access to the compromised network to other cybercriminals.
CVE-2023-3519 is one of three bugs that Citrix disclosed this week. The other two affect NetScaler ADC and NetScaler Gateway, which Citrix has renamed as Citrix ADC and Citrix Gateway. One of them is a reflected cross-site scripting flaw (
CVE-2023-3466
) that the company described as requiring the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP. Citrix assessed the vulnerability with a severity score of 8. The other flaw, tracked as
CVE-2023-3467
, also scores an 8 in severity and allows an attacker to escalate privileges to that of an administrator. An attacker would need authenticated access to NetScaler IP address (NSIP) or Subnet IP address (SNIP) to be able to exploit the vulnerability, Citrix said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway