Citrix alerts users to critical vulnerability in Citrix ADC and Gateway

The vulnerability is already under active attack

Citrix alerted customers yesterday to a critical severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild.

In a security bulletin Citrix said that it "strongly urges" customers who manage their own Netscaler ADC and Netscaler Gateway to install updates without delay.

Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication can stand down - for now.

The vulnerability received a score of 9.8 out of 10 and relates to a case of code injection which could result in unauthenticated remote code execution. The other two vulnerabilities logged at the same time are in cross site scripting and privilege escalation and score 8.3 and 8 respectively.

The vulnerabilities have been discovered in the following versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Citrix lists the following updated versions to which it recommends affected customers upgrade to:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Citrix also recommends that customers of the End of Life (EOL) NetScaler ADC and NetScaler Gateway version 12.1 should upgrade their appliances to one of the supported versions that address the vulnerabilities at the earliest opportunity.