Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302
- NetScaler ADC 12.1-NDcPP before 12.1-55.302
Citrix published security updates for these vulnerabilities and those fixes should be applied immediately.
Citrix did not provide additional details about the attacks in the wild, so it is unknown when the attacks started.
According to Citrix, customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. It is not clear if the vulnerabilities previously affected the cloud platforms but have since been mitigated.
CVE-2023-6549
CVE-2023-6549 is a zero-day vulnerability with a high potential for exploitation. If exploited, this vulnerability could allow an attacker to perform a denial of service on an appliance configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVE-2023-6548
CVE-2023-6548 is a zero-day vulnerability that allows an authenticated attacker with low privileges access to NSIP, CLIP or SNIP Management Interface to perform remote code execution on the Management Interface.
CVE- 2023- 6548 only impacts the Management Interface. Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Do not expose the Management Interface to the internet. See NetScaler secure deployment guide for more information.
Our Cyber Threat Intelligence (CTI) team recommends the following:
Install the relevant updated versions as soon as possible:
- NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now end of life (EOL). Customers are recommended to upgrade their appliances to one of the above supported versions that addresses the vulnerabilities.