Published: January 19, 2024
Two vulnerabilities, CVE-2023-6548 and CVE-2023-6549, have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), advanced networking solutions for optimizing application delivery and enabling secure remote access. These vulnerabilities are currently being exploited in the wild.
CVE-2023-6548 (CVSS 5.5) allows low-privilege accounts to potentially execute remote code on NetScaler ADC and Gateway appliances. The vulnerabilities can be compromised only if NetScaler ADC or the NetScaler Gateway management IP is available on the public internet.
CVE-2023-6549 (CVSS 8.2) could result in denial of service if the appliance is configured as a gateway, such as VPN virtual server.
Only customer-managed NetScaler appliances are affected; NetScaler-managed cloud services are not affected.
|Not Affected Versions
|NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
|NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
|NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
|NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
|NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
|NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
|NetScaler ADC 13.1-FIPS before 13.1-37.176
|NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
|NetScaler ADC 12.1-FIPS before 12.1-55.302
|NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
|NetScaler ADC 12.1-NDcPP before 12.1-55.302
|NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
Mitigations and Workarounds
It is advised to install the recommended builds available in the advisory from Citrix:
CVE- 2023- 6548 only impacts the management interface. It is not recommended to expose the management interface to the internet.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of this vulnerability. Netsurion’s vulnerability management system will detect CVE-2023-6548 and CVE-2023-6549 for customers who have subscribed to Netsurion Vulnerability Management.