Citrix Issues Critical Security Advisory for NetScaler: CVE-2024-6235 and CVE-2024-6236

CVE-2024-6235 & CVE-2024-6236

Cloud Software Group, the entity behind Citrix products, has issued a critical security advisory warning users of severe vulnerabilities discovered in their widely-used NetScaler products. The vulnerabilities, tracked as CVE-2024-6235 and CVE-2024-6236, could allow unauthorized access to sensitive information and even cause denial-of-service (DoS) attacks.

CVE-2024-6235

CVE-2024-6235: Sensitive Information Disclosure (Critical Severity)

This flaw, rated with a CVSSv4 score of 9.4, impacts the NetScaler Console (formerly known as NetScaler ADM). It could enable attackers to gain unauthorized access to confidential data, potentially exposing trade secrets, customer information, or other sensitive assets.

CVE-2024-6236: Denial of Service (High Severity)

This vulnerability, rated with a CVSSv4 score of 7.1, affects NetScaler Console, NetScaler SVM, and NetScaler Agent. Attackers exploiting this flaw could disrupt the normal operation of NetScaler services, leading to downtime and potential financial losses for affected organizations.

Affected Versions and Urgent Call to Action

Multiple versions of NetScaler Console, SVM, and Agent are susceptible to these vulnerabilities. Cloud Software Group strongly urges users to immediately update their NetScaler software to the latest patched versions provided in the advisory.

The specific patched versions for each product are:

  • NetScaler Console: 14.1-25.53 or later for 14.1, 13.1-53.22 or later for 13.1, and 13.0-92.31 or later for 13.0
  • NetScaler SVM: 14.1-25.53 or later for 14.1, 13.1-53.17 or later for 13.1, and 13.0-92.31 or later for 13.0
  • NetScaler Agent: 14.1-25.53 or later for 14.1, 13.1-53.22 or later for 13.1, and 13.0-92.31 or later for 13.0

In a separate security advisory, Citrix has also warned users of two vulnerabilities (CVE-2024-6286 and CVE-2024-6151) found in the Citrix Workspace app for Windows and the Virtual Delivery Agent for Windows. Both of these vulnerabilities have been assessed with a high severity CVSSv4 score of 8.5.