Critical Citrix ADC & Citrix Gateway Vulnerabilities CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Critical Citrix ADC & Citrix Gateway Vulnerabilities CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Critical Citrix ADC & Citrix Gateway vulnerabilities CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

The manufacturer Citrix informed about critical vulnerabilities on 18 July. In particular, CVE-2023-3519 should be patched as soon as possible, as it was given a CVSS of 9.8.

The vulnerabilities relate to NetScaler ADC (formerly Citrix ADC) and also NetScaler Gateway (formerly Citrix Gateway). The following supported versions are affected: 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 

  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 

  • NetScaler ADC 13.1-FIPS before 13.1-37.159

  • NetScaler ADC 12.1-FIPS before 12.1-55.297

  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

What are the risks of exploiting the vulnerabilities? 

CVE ID

Description

Prerequisite

  CVSS

CVE-2023-3466

Reflected Cross-Site Scripting (XSS)

The victim must access a link in the browser controlled by the attacker, while on a network connected to the NSIP.

 8.3

CVE-2023-3467

Privilege Escalation to root administrator (nsroot)

Authenticated access to NSIP or SNIP with access to the management interface

 8.0

CVE-20233519

Unauthenticated remote code execution

The appliance must be configured as   Gateway (virtual VPN server, ICA proxy, CVPN, RDP proxy) OR Virtual AAA server

 9.8

What should you do now? 

It is imperative that you apply all recommended patches at short notice. The manufacturer specifies the following versioning: 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases

  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  

  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

In addition, we recommend checking whether the vulnerability has already been exploited. In other words, check log files, take a close look at the reports from the early detection technologies and carry out analyses if necessary. 

We are happy to answer any questions you may have. 

Screen Shot 2025-05-15 at 16-6a68.png

Michael Döhmen

Marketing & IT-Security Enthusiast

Published on 17.05.2025