Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities

January 16, 2024

Citrix has issued a warning to its customers about two zero-day vulnerabilities (CVE-2023-6548 and CVE-2023-6549) that are currently being exploited in attacks. These vulnerabilities affect the Netscaler management interface of Citrix's Netscaler ADC and Gateway appliances. If left unpatched, these vulnerabilities could expose Netscaler instances to remote code execution and denial-of-service attacks. However, for an attacker to gain code execution, they would need to be logged into low-privilege accounts on the target instance and have access to NSIP, CLIP, or SNIP with management interface access. The appliances would also need to be configured as a gateway or an AAA virtual server to be vulnerable to DoS attacks.

The zero-days only impact customer-managed Netscaler appliances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected. The following Netscaler product versions are affected by these zero-day vulnerabilities: According to data from threat monitoring platform Shadowserver, over 1,500 Netscaler management interfaces are currently exposed on the Internet.

Citrix has published a security advisory urging administrators to immediately patch their Netscaler appliances against these zero-days to prevent potential attacks. The company stated, "Exploits of these CVEs on unmitigated appliances have been observed." They strongly advise affected customers to install the updated versions as soon as possible. Customers still using NetScaler ADC and NetScaler Gateway version 12.1 end-of-life software are also advised to upgrade to a version still under support. If the security updates cannot be immediately deployed, admins should block network traffic to affected instances and ensure they're not exposed online.

Citrix also recommended separating network traffic to the appliance's management interface from normal network traffic, either physically or logically. They also suggested not exposing the management interface to the internet, as this significantly reduces the risk of exploitation.

Another critical Netscaler vulnerability, tracked as CVE-2023-4966 and later known as Citrix Bleed, was patched in October. This vulnerability was exploited as a zero-day since August by various threat groups to infiltrate the networks of government organizations and high-profile tech companies worldwide. The Health Sector Cybersecurity Coordination Center (HC3) has also issued an alert, urging health organizations to secure their NetScaler ADC and NetScaler Gateway instances against increasing ransomware attacks.

Related News

• Comcast's Xfinity Customer Data Breached in CitrixBleed Exploit
• Urgent Warnings Issued on CitrixBleed Exploitation by LockBit Ransomware Gang
• Citrix Urges Administrators to Terminate NetScaler User Sessions Amidst Hacker Threats
• Toyota Ransomware Attack Likely Exploited CitrixBleed Vulnerability
• LockBit Ransomware Group Leaks Boeing's Data After Ransom Refusal

Latest News

• Androxgh0st Malware Botnet Targets AWS and Microsoft Credentials: FBI and CISA Alert
• Critical Vulnerability in VMware Aria Automation Addressed: Immediate Update Recommended
• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions
• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Over 178,000 SonicWall Firewalls Exposed to Potential Hacks Due to Unpatched Vulnerabilities