CISA urges urgent patching of two actively exploited Citrix NetScaler vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has added two Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities catalog, and it has set the “due date” a week after they were added.

Federal Civilian Executive Branch (FCEB) agencies are handed specific deadlines for when vulnerabilities must be dealt with. Normally, the Directive requires those agencies to remediate internet-facing vulnerabilities on its catalog within 15 days, and all others within 25 days.

The Citrix NetScaler vulnerabilities need to be patched by January 24, 2024. These issues only apply to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that CISA has added to the catalog are:

CVE-2023-6548, an improper control of generation of code (code injection) vulnerability in NetScaler ADC and NetScaler Gateway with a CVSS score of 5.5 out of 10. It allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the interface.

Because this vulnerability only impacts the management interface, network traffic to the appliance’s management interface should be separated, either physically or logically, from normal network traffic, and you should avoid exposing it to the internet.

CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer in NetScaler ADC and NetScaler Gateway with a CVSS score of 8.2 out of 10. It allows unauthenticated denial of service. An attacker could exploit this vulnerability when a vulnerable appliance has been configured as a gateway (e.g. VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Citrix has also observed exploits on unpatched instances and strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

A few months ago, CISA and the Federal Bureau of Investigation (FBI), along with other international agencies, warned that ransomware gangs are actively exploiting the Citrix Bleed vulnerability which was also found in Citrix NetScaler versions. This goes to show how popular these kind of vulnerabilities are among cybercriminals.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

https://blog.malwarebytes.com/feed/