Citrix recently issued an advisory alerting customers of a critical-severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild. To mitigate the risk, Citrix strongly advises its customers to promptly install the latest updates for these products. Interestingly, this security issue might be the same one that was recently advertised as a zero-day vulnerability on a hacker forum.
Citrix has released new versions for its NetScaler products, formerly known as Citrix Application Delivery Controller (ADC) and Citrix Gateway. These updates aim to address a set of three vulnerabilities, with the most severe one being tracked as CVE-2023-3519. This critical vulnerability scored 9.8 out of 10 on the severity scale and allows attackers to execute code remotely without requiring authentication. However, it’s important to note that for hackers to exploit this security issue in their attacks, the vulnerable appliance must be configured either as a gateway (such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (also known as the AAA server). Immediate installation of the updates is strongly recommended to safeguard against potential exploits.
Tracked as CVE-2023-3519 with a high CVSS score of 9.8, this vulnerability involves a critical case of code injection that could lead to unauthenticated remote code execution. The impacted versions include:
The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.
In addition to CVE-2023-3519, two other vulnerabilities have been addressed:
Both CVE-2023-3466 and CVE-2023-3467 are significant security issues that have been fixed in the latest updates.
As per reports from The Cybersecurity and Infrastructure Security Agency (CISA), threat actors have exploited vulnerability CVE-2023-3519 to breach the network of a U.S. organization in the critical infrastructure sector. Hackers leveraged the unauthenticated remote code execution (RCE) flaw to plant a webshell on the target’s non-production NetScaler ADC appliance. The backdoor enabled the hackers to enumerate active directory (AD) objects, which include users, groups, applications, and devices on the network, as well as steal AD data.
Other reports reveal that the CVE-2023-3519 zero-day exploit has likely affected more than 15,000 NetScaler ADC and Gateway servers exposed online.
Organizations can check for signs of compromise by running a few checks on the ADC shell interface.
For customers using NetScaler ADC and NetScaler Gateway version 12.1, it is strongly recommended to upgrade their appliances to a supported version to mitigate potential threats effectively. By applying the available patches (all the three critical vulnerabilities have been addressed through patches), users can ensure their systems are protected against the identified vulnerabilities.
SISA also recommends that customers follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services.
As a longer-term effort, applying robust network-segmentation controls on NetScaler appliances, and other internet-facing devices can help mitigate the risk from potential zero-day exploits.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
Customer Success Stories
SISA ProACT MDR solution
Powered by Forensic Intelligence
Get Daily Updates on our Latest Threat Advisories