CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) details on vulnerability timeline and compromise

CVE-2023-3519, Critical RCE in Netscaler ADC, Citrix ADC, Netscaler Gateway, Citrix Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection 

On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and Netscaler Gateway (formerly known as Citrix Gateway).

CVE-2023-3519Unauthenticated Remote Code Execution vulnerability9.8Critical

In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:

CVE-2023-3466Reflected Cross-Site Scripting (XSS) vulnerability8.3High
CVE-2023-3467Privilege Escalation to root administrator (nsroot) vulnerability8.0High

Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions –

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297, and
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

CVE-2023-3519 Added to CISA KEV Catalog#

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added the Citrix remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalogue based on evidence of exploit.

How many systems are exposed to Citrix RCE CVE-2023-3519

Currently, in Shodan, there are 48K + servers, but this is just the initial approach 

CVE-2023-3519, Critical RCE in Netscaler ADC, Citrix ADC, Netscaler Gateway, Citrix Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection 

As of 23 July 2023 Shadow server’s foundation count, there are 5.7K vulnerable citrix systems in the USA alone and 1K in the united kingdom, but the count could be much higher.

CVE-2023-3519, Critical RCE in Netscaler ADC, Citrix ADC, Netscaler Gateway, Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection 
CVE-2023-3467 , Shadowserver, Citrix, word

Europe Citrix vulnerable Servers

CVE-2023-3519, Critical RCE in Netscaler ADC, ADC, Netscaler Gateway, Citrix Gateway, CVE-2023-3466, CISA, CISA KEV, Critical vulnerability, code injection 
CVE-2023-3467, shadowserver, threat intel, europe

Timeline and indicator of compromise for CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

The attack shows exploitation on 7th of july 11 days in advance of the notification

The attackers exfiltrated the system configuration file to then probably use the Metasploit module called “citrix_netscaler_config_decrypt” and gain access as the user “nsroot” (full system access), other important secrets about the network and internal users are leaked. 

Bleeping computer reports the threat actor having access to the vulnerability since beginning of july

The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Currently from traces of CITRIX CVE-2023-3519 from virus total threat intel: 

How to detect if the patch has been applied to your citrix netscaler

The mr-r3boot researcher has recently published a script to identify the Citrix vulnerability

Get an overview of your asset lineage

Citrix Indicator of compromise

Since its exploitation has been seen in the wild, certain indicators of compromise have been published to help auditors and threat hunters detect previous intrusions:

  • Origin IP addresses:


Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

  1. Check for files newer than the last installation.
  2. Modify the -newermt parameter with the date that corresponds to your last installation:
    • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
    • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
    • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
    • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
  3. Check http error logs for abnormalities that may be from initial exploit:
    • grep ‘\.sh’ /var/log/httperror.log*
    • grep ‘\.php’ /var/log/httperror.log*
  4. Check shell logs for unusual post-ex commands, for example:
    • grep ‘/flash/nsconfig/keys’ /var/log/sh.log*
  5. Look for setuid binaries dropped:
    • find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \;
  6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
  7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
  8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
  9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
  10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
  11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection. 
  12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
  13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
    • database.php
    • ns_gui/vpn
    • /flash/nsconfig/keys/updated 
    • ldapsearch 
    • openssl + salt
  14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

Further details on CISA website

Get an overview of your asset lineage

Previous Issues of Vulnerability Weekly

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.