Citrix confirms two new NetScaler vulnerabilities as firms urged to patch immediately

Citrix logo pictured on the side of an office complex in Santa Clara, California, with grey clouds in the background.
(Image credit: Getty Images)

Citrix has urged firms to apply new updates after the discovery of two vulnerabilities in its NetScaler ADC and NetScaler Gateway products.

The two vulnerabilities, CVE-2023-6548 and CVE-2023-6549, come just months after the company struggled to contain the critical Citrix Bleed security flaw.

CVE-2023-6549 consists of a denial of service (DoS) vulnerability in the NetScaler ADC and Gateway appliances. With an 8.2 CVSS rating this flaw is judged to be a high-severity vulnerability that hackers can exploit if the appliance has been configured as a gateway or AAA virtual server.

A blog published by Citrix’s parent company, the Cloud Software Group, revealed the firm is aware of a “limited number of exploits of each vulnerability in the wild”. 

The company was unable to provide any mitigations or workarounds to this vulnerability, urging customers download and apply the permanent fixes available for NetScaler ADC and NetScaler Gateway as soon as possible. 

The vulnerability CVE-2023-6548 is an authenticated remote code execution (RCE) exploit involving the management interface, classified as a 5.5 on the CVSS. 

The relatively low severity rating could reflect the fact that exploiting this vulnerability requires an authenticated attacker with low level privileges to have access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with access to the system’s management interface.

In addition to immediately installing the recommended builds, customers are advised to ensure they have not exposed the management interface on the public internet and instead use a private network to host the NetScaler management IP. 

A difficult period for Citrix only gets worse

CVE-2023-6548 and CVE-2023-6549 are the second and third vulnerabilities discovered in Citrix appliances over the previous four months, with 2024 picking up where a challenging 2023 left off.

A critical vulnerability in the NetScaler system that became known as Citrix Bleed, or CVE-2023-4966, was identified by the company on 10 October 2023.

This critical security flaw enabled threat actors to steal sensitive information through Citrix devices and received a 9.2 CVSS rating. 

The prevalence of NetScaler gateways used for single sign-on (SSO) and remote access systems for large enterprises meant this security flaw could have serious ramifications if widely exploited.

On 15 November 2023, ITPro reported ransomware gangs were still capitalizing on the flaw to target several high profile organizations, including Chinese bank ICBC, who reportedly paid a ransom in order to resume operations. 

CVE-2023-6548 and CVE-2023-6549 appear to be less dangerous vulnerabilities, with researchers at security firm Tenable, Satnam Narang and Scott Caveza, predicting they will not be as widely exploited as Citrix Bleed.


Why Network Monitoring Tools Fail Within Secure Environments whitepaper

(Image credit: Zscaler)

Discover where network monitoring tools fail based on end-user connectivity


“The impact from these two new zero-day vulnerabilities is not expected to be as significant as Citrix Bleed. Nonetheless, organizations that do use these appliances in their networks should apply the available patches as soon as possible."

Chris Morgan, senior cyber threat intelligence analyst at security company ReliaQuest, said CVE-2023-6548 has the potential to be a significant vulnerability by virtue of the number of attackers who will try to exploit it.

“Of the two vulnerabilities, CVE-2023-6548, is likely to receive a significant amount of interest from threat actors. The vulnerability, a remote code execution (RCE) vulnerability, can be exploited by an authenticated attacker with low privileges if they are able to access NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with access to the appliance’s management interface.”

Morgan predicted the number of attempts to exploit this vulnerability will increase considerably once a working proof of concept is published.

“The scale of exploitation of this issue is currently unclear, however will likely increase dramatically once a working proof of concept (PoC) is released; given the likely interest in these vulnerabilities, this will likely surface in the short-term (1- 3 months). Users are highly recommended to upgrade susceptible appliances that support these vulnerabilities. Additionally, ensuring logging adequately provides visibility of susceptible appliances, to assist with detection of suspicious activity.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.