blog

CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

CVE-2023-3519, Critical RCE in Netscaler ADC, Citrix ADC, Netscaler Gateway, Citrix Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection
CVE-2023-3467

On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and Netscaler Gateway (formerly known as Citrix Gateway).

CVE	Description	CVSSv3	Severity
CVE-2023-3519	Unauthenticated Remote Code Execution vulnerability	9.8	Critical

In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:

CVE	Description	CVSSv3	Severity
CVE-2023-3466	Reflected Cross-Site Scripting (XSS) vulnerability	8.3	High
CVE-2023-3467	Privilege Escalation to root administrator (nsroot) vulnerability	8.0	High

Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions –

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297, and
NetScaler ADC 12.1-NDcPP before 12.1-55.297

CVE-2023-3519 Added to CISA KEV Catalog#

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added the Citrix remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalogue based on evidence of exploit.

How many systems are exposed to Citrix RCE CVE-2023-3519

Currently, in Shodan, there are 48K + servers, but this is just the initial approach

As of 23 July 2023 Shadow server’s foundation count, there are 5.7K vulnerable citrix systems in the USA alone and 1K in the united kingdom, but the count could be much higher.

CVE-2023-3519, Critical RCE in Netscaler ADC, Citrix ADC, Netscaler Gateway, Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection
CVE-2023-3467 , Shadowserver, Citrix, word

Europe Citrix vulnerable Servers

CVE-2023-3519, Critical RCE in Netscaler ADC, ADC, Netscaler Gateway, Citrix Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection
CVE-2023-3467, shadowserver, threat intel, europe

Timeline and indicator of compromise for CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a

The attack shows exploitation on 7th of july 11 days in advance of the notification

Citrix Gateway VPN compromised via CVE-2023-3519 (a critical unauthenticated RCE) shows evidence of exploitation on 7th July, 11 days before the official patch.

The attackers exfiltrated the system configuration file to then probably use the Metasploit module called… pic.twitter.com/vZuXdKsQ3r
— Germán Fernández (@1ZRR4H) July 23, 2023

The attackers exfiltrated the system configuration file to then probably use the Metasploit module called “citrix_netscaler_config_decrypt” and gain access as the user “nsroot” (full system access), other important secrets about the network and internal users are leaked.

Bleeping computer reports the threat actor having access to the vulnerability since beginning of july

The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Currently from traces of CITRIX CVE-2023-3519 from virus total threat intel:

https://www.virustotal.com/gui/file/293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9

How to detect if the patch has been applied to your citrix netscaler

The mr-r3boot researcher has recently published a script to identify the Citrix vulnerability

Last nights run!! 40 percent likely not patched #citrix #netscaler pic.twitter.com/J9IdDSpMQc
— mRr3b00t (@UK_Daniel_Card) July 23, 2023

https://github.com/mr-r3b00t/CVE-2023-3519

Get in control of your Application Security posture and Vulnerability management

Get a Demo today

Citrix Indicator of compromise

Since its exploitation has been seen in the wild, certain indicators of compromise have been published to help auditors and threat hunters detect previous intrusions:

Origin IP addresses:
- 216.41.162.172
- 216.51.171.17

DETECTION METHODS for CITRIX RCE from CISA

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

Check for files newer than the last installation.
Modify the -newermt parameter with the date that corresponds to your last installation:
- find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
Check http error logs for abnormalities that may be from initial exploit:
- grep ‘\.sh’ /var/log/httperror.log*
- grep ‘\.php’ /var/log/httperror.log*
Check shell logs for unusual post-ex commands, for example:
- grep ‘/flash/nsconfig/keys’ /var/log/sh.log*
Look for setuid binaries dropped:
- find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \;
Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
- database.php
- ns_gui/vpn
- /flash/nsconfig/keys/updated
- LDAPTLS_REQCERT
- ldapsearch
- openssl + salt
Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

Further details on CISA website

Get in control of your Application Security posture and Vulnerability management

Get a Demo today

Previous Issues of Vulnerability Weekly

Movit Transfer Zellis Data Breach
Latest Security Vulnerability of the Week 24/10/22
Security Vulnerability of the Week 3/10/22 – Application Security – Cloud – Vulnerability – Exchange Zero Day & Mitigations, bitbucket, cobalt stike
Security Vulnerability of the Week 12/09/22 – Application Security – Cloud Security – Linux Malware, Windows patched 64 vulns with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack – This week we deep dive into Linux Malware, Windows patched 64 vuln with zero day, Uber Hack Timeline, GTA 6/Rockstar Hack
Security Vulnerability of the Week 12/09/22 – Application Security – Uber Hack Timeline – Special Focus on Uber latest news on hack

ransomware Vulnerability

ransomware Vulnerability

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

23rd July 2023

MOVEit Transfer vuln_weekly vulnerabilities vulnerability

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Announcing Phoenix Threat Centric Approach

Learn how to predict ransomware risks and vulnerability exploitation using a threat-centric approach. Explore data-driven insights, verified exploit trends, and methods for assessing the likelihood of attacks with key references to CISA KEV, EPSS, and Phoenix Security’s 4D Risk Formula.

Francesco Cipollone

A Threat-Centric Look at Vulnerability Exploitation Likelihood and Ransomware Risk

Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.

Francesco Cipollone

IS NGINX IngressNightmare bad? Bad news it is: Critical Remote Code Execution Threats (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974)

Francesco Cipollone

Google Bought Wiz for $32B. Now What? Why Is It Great for the Security Market?

The recent Google acquisition of Wiz for $32 billion has sent shockwaves through the cybersecurity industry, particularly in the realm of Application Security Posture Management (ASPM). This monumental deal highlights the critical importance of cloud security and the growing demand for robust ASPM solutions. While the acquisition promises potential benefits for Google Cloud users, it also raises concerns about vendor lock-in and the future of cloud-agnostic security. Explore the implications of this acquisition and discover how neutral ASPM solutions like Phoenix Security can bridge the gap in multi-cloud environments, ensuring continuous, collaborative, and comprehensive security from code to cloud.” – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities

Alfonso Eusebio

Phoenix Security Features – March 2025

The team at Phoenix Security pleased to bring you another set of new application security (ASPM) features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Application Security Posture Management (ASPM) Enhancements • New Weighted Asset Risk Formula – Refined risk aggregation for tailored vulnerability management. • Auto-Approval of Risk Exceptions – Accelerate mitigation by automating security approvals. • Enhanced Risk Explorer & Business Unit Insights – Monitor and analyze risk exposure by business units for better prioritization. Vulnerability & Asset Management • Link Findings to Existing Tickets – Seamless GitHub, ServiceNow, and Azure DevOps integration. • Multi-Finding Ticketing for ADO – Group multiple vulnerabilities in a single ticket for better workflow management. • Filter by Business Unit, CWE, Ownership, and Deployment Environment – Target vulnerabilities with precision using advanced filtering. Cyber Threat Intelligence & Security Enhancements • Cyber Threat Intelligence Premium – Access 128,000+ exploits for better exploitability and fixability metrics. • SBOM, Container SBOM & Open Source Artifact Analysis – Conduct deep security analysis with reachability insights. • Enhanced Lacework Container Management – Fetch and analyze running container details for better security reporting. • REST API Enhancements – Use asset tags for automated deployments and streamline security processes. Other Key Updates • CVE & CWE Columns Added – Compare vulnerabilities more effectively. • Custom Status Management for Findings – Personalize security workflows with custom status configurations. • Impact & Risk Explorer Side Panel – Gain heatmap-based insights into vulnerability distribution and team risk impact. 🚀 Stay ahead of vulnerabilities, optimize risk assessment, and enhance security efficiency with Phoenix Security’s latest features! 🚀

Alfonso Eusebio

CVE-2025-30066 tj-actions/changed-files GitHub Action Compromise: Impacts on Software Supply Chain Security and ASPM

Discover CVE-2025-30066 tj-actions/changed-files GitHub Action has been compromised, exposing secrets in CI/CD pipelines and posing a major software supply chain security risk. Attackers injected malicious code into all versions (V1–V45), repointing existing tags to a compromised commit that exfiltrated credentials via GitHub Actions logs. Immediate remediation is required—organizations must scan their repositories, rotate secrets, and replace the action to mitigate risk. Learn how Phoenix Security’s ASPM can automate threat detection and enhance GitHub Actions security.

Francesco Cipollone

blog