Fri, Jan 19, 2024

Two Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway

Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Citrix published security updates for these vulnerabilities and those fixes should be applied immediately.

Citrix did not provide additional details about the attacks in the wild, so it is unknown when the attacks started.

According to Citrix, customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. It is not clear if the vulnerabilities previously affected the cloud platforms but have since been mitigated.


CVE-2023-6549 is a zero-day vulnerability with a high potential for exploitation. If exploited, this vulnerability could allow an attacker to perform a denial of service on an appliance configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.


CVE-2023-6548 is a zero-day vulnerability that allows an authenticated attacker with low privileges access to NSIP, CLIP or SNIP Management Interface to perform remote code execution on the Management Interface.

CVE- 2023- 6548 only impacts the Management Interface. Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Do not expose the Management Interface to the internet. See NetScaler secure deployment guide for more information.

Our Cyber Threat Intelligence (CTI) team recommends the following:

Install the relevant updated versions as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 are now end of life (EOL). Customers are recommended to upgrade their appliances to one of the above supported versions that addresses the vulnerabilities.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Managed Security Services

World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.