Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities

January 16, 2024

Citrix has issued a warning to its customers about two zero-day vulnerabilities (CVE-2023-6548 and CVE-2023-6549) that are currently being exploited in attacks. These vulnerabilities affect the Netscaler management interface of Citrix's Netscaler ADC and Gateway appliances. If left unpatched, these vulnerabilities could expose Netscaler instances to remote code execution and denial-of-service attacks. However, for an attacker to gain code execution, they would need to be logged into low-privilege accounts on the target instance and have access to NSIP, CLIP, or SNIP with management interface access. The appliances would also need to be configured as a gateway or an AAA virtual server to be vulnerable to DoS attacks.

The zero-days only impact customer-managed Netscaler appliances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected. The following Netscaler product versions are affected by these zero-day vulnerabilities: According to data from threat monitoring platform Shadowserver, over 1,500 Netscaler management interfaces are currently exposed on the Internet.

Citrix has published a security advisory urging administrators to immediately patch their Netscaler appliances against these zero-days to prevent potential attacks. The company stated, "Exploits of these CVEs on unmitigated appliances have been observed." They strongly advise affected customers to install the updated versions as soon as possible. Customers still using NetScaler ADC and NetScaler Gateway version 12.1 end-of-life software are also advised to upgrade to a version still under support. If the security updates cannot be immediately deployed, admins should block network traffic to affected instances and ensure they're not exposed online.

Citrix also recommended separating network traffic to the appliance's management interface from normal network traffic, either physically or logically. They also suggested not exposing the management interface to the internet, as this significantly reduces the risk of exploitation.

Another critical Netscaler vulnerability, tracked as CVE-2023-4966 and later known as Citrix Bleed, was patched in October. This vulnerability was exploited as a zero-day since August by various threat groups to infiltrate the networks of government organizations and high-profile tech companies worldwide. The Health Sector Cybersecurity Coordination Center (HC3) has also issued an alert, urging health organizations to secure their NetScaler ADC and NetScaler Gateway instances against increasing ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.