Citrix discloses critical NetScaler Gateway vulnerability

Citrix Systems logo is seen in the background of a silhouetted woman holding a mobile phone
(Image credit: Getty Images)

Citrix has issued a warning to users of NetScaler Gateway and ADC products over a series of new vulnerabilities. 

In a security bulletin, the firm disclosed three new vulnerabilities, including one believed to have been actively exploited in the wild. 

This included CVE-2023-3466, a reflected cross-site scripting (XSS) vulnerability, and CVE-2023-3467, which would enable escalation of privilege to root administrator, the firm revealed in its update. 

The most severe of the three - identified as CVE-2023-3519 - would allow for unauthenticated remote code execution on affected Gateway appliances.

Analysis of the flaw from Rapid7 found that this vulnerability is “known to be exploited in the wild” and urged users to patch immediately. 


Whitepaper cover with green title above image of business man holding a smart phone

(Image credit: ServiceNow)

Three steps to transforming security operations

Read how to be more agile, effective, collaborative, and scalable


“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers said. 

“Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. See the Citrix advisory for more information.”

Security firm Tenable also analyzed the most severe flaw, which was given a severity score of 9.8 on the CVSSv3 scale, adding that although exploits have been observed, there is currently no known proof of concept code circulating in the wild.

Affected products

 In its advisory, Citrix confirmed several versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities. These include: 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

The advisory added that NetScaler ADC and NetScaler Gateway version 12.1 is now end-of-life (EOL) and thus vulnerable to the recently-disclosed flaws. 

Customers currently using an EOL version have been advised to upgrade devices to the latest software versions with the patches applied.

These include: 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Customers and channel partners have been notified about the ongoing security risks, and will continue to receive updates via Citrix’s security bulletins. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.