Home / Threat Intelligence bulletins / Citrix disclosed critical zero-day flaw in ADC and Gateway

Target Industry

Indiscriminate, opportunistic targeting.


Citrix has disclosed a critical zero-day vulnerability within its NetScaler Application Delivery Controller (ADC) and Gateway. The flaw, tracked as CVE-2023-3519 (CVSSv3 score: 9.8), pertains to a code injection that allows for potential remote code execution (RCE) capabilities.

At the time of writing, CVE-2023-3519 has been detected to have been actively exploited in the wild. As such, it is critical that the mitigation strategies outlined later in this bulletin are adhered to.

Update: 15th August 2023

A threat actor has successfully exploited approximately 2,000 Citrix NetScaler servers in an attack campaign relating to the critical-severity remote code execution (RCE) flaw, tracked as CVE-2023-3519. Researchers have discovered that the threat actors have planted web shells on the servers, resulting in the mass exploit.


Successful exploitation of CVE-2023-3519 could allow an unauthenticated threat actor to gain RCE capabilities on vulnerable systems.

Vulnerability Detection

Citrix has released a security update with regards to the vulnerability reported on. As such, previous versions are vulnerable to potential exploitation.

Update: 6th September 2023

To detect for successful exploitation of CVE-2023-2519, please refer to the CISA Advisory which outlines the recommended checks that should be implemented.

Affected Products

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297, and
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product versions apply the relevant security update as a matter of urgency. The remediated product versions have been outlined below:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Update: 15th August 2023

Researchers at Fox-IT have stated that patched NetScaler servers can still contain backdoor malware and as such it is strongly recommended that administrators perform triage protocols on vulnerable systems. Such protocols can be implemented via a Python script released by Fox-IT that uses an incident response toolkit.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Citrix occupies a significant proportion of the virtual application and desktop market share. Given that threat actors generally use a combination of probability and asset value to determine which attack surfaces to focus on, Citrix products have emerged as a prime target. Due to the fact that Citrix products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Update: 15th August 2023

On 21st July 2023, the Cybersecurity and Infrastructure Security Agency (CISA) warned that CVE-2023-3519 had been leveraged to exploit a critical infrastructure organisation in the US. Throughout the previous two-month period, Fox-IT has responded to numerous incidents related to web-shell planting on vulnerable servers via the exploitation of CVE-2023-3519. At the time of writing, servers in Europe have been the most heavily targeted.

As long as vulnerable servers remain unpatched and the additional protocols outlined above are not implemented, it is almost certain that opportunistic threat actors will continue to exploit CVE-2023-3519. As such, it is of critical importance that the relevant remediation strategies and security updates are applied as soon as possible.

Threat Group

No attribution to specific threat actors or groups has been identified at time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Update: 6th September 2023

Initial Access Technique:

T1190 – Exploit Public-Facing Application

Persistence Technique:

T1505.003  – Server Software Component: Web Shell

Privilege Escalation Technique:

T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid

Defense Evasion Technique:

  • T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
  • T1036.008 – Masquerading: Masquerade File Type

Credential Access Technique:

  • T1552.001 – Unsecured Credentials: Credentials In Files
  • T1552.004 – Unsecured Credentials: Private Keys

Discovery Technique:

  • T1482 – Domain Trust Discovery
  • T1069.002 – Permission Groups Discovery: Domain Groups
  • T1018 – Remote System Discovery
  • T1016 – System Network Configuration Discovery
  • T1016.001 – System Network Configuration Discovery: Internet Connection Discovery
  • T1046 – Network Service Discovery
  • T1087.002 – Account Discovery: Domain Account

Collection Technique:

  • T1560.001 – Archive Collected Data: Archive via Utility
  • T1005 – Data from Local System
  • T1074 – Data Staged

Command and Control Technique:

Impact Technique:

  • T1531 – Account Access Removal

Further Information

Citrix Advisory

Fox-IT Report

CISA Advisory


An Intelligence Terminology Yardstick to showing the likelihood of events