A remote code execution (RCE) vulnerability affecting several versions of NetScaler ADC (Citrix ADC) and NetScaler Gateway (Citrix Gateway) [CVE-2023-3519] has been discovered. The vulnerability is rated as critical.
CVE-2023-3519 has the following key characteristics shared by many of the highest profile vulnerabilities:
- Unauthenticated remote code execution.
- Impacting software with a large market share.
- Impacting software that is often exposed to the public-facing Internet.
- Known to be exploited before or at public notification of vulnerability.
Unauthenticated remote code execution is of the most severe categories of vulnerabilities. When present in popular, Internet-facing software, such vulnerabilities can have a large-scale impact across organizations and will instigate immediate remediation activities in impacted organizations.
Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”
See the Resource Center.
Research Status
Bitsight’s research on this vulnerability is in progress and we will provide updates as more information becomes available.