CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks

Citrix, a leader in digital workspace solutions, has sounded an alarm for its customers regarding two critical zero-day vulnerabilities, CVE-2023-6548 and CVE-2023-6549. These vulnerabilities pose a significant threat to the Netscaler management interface in Citrix’s Netscaler ADC and Gateway appliances.

These security flaws, if unaddressed, open the door to remote code execution and denial-of-service (DoS) attacks. However, the exploitation of these vulnerabilities requires specific conditions: an attacker must have low-privilege account access and management interface access through NSIP, CLIP, or SNIP. Additionally, the appliances need to be configured as a gateway or an AAA virtual server to be susceptible to DoS attacks.


Exploits of these CVEs on unmitigated appliances have been observed,” Citrix warned. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by CVE-2023-6548 and CVE-2023-6549:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and are vulnerable. It’s crucial to note that these zero-day vulnerabilities only affect customer-managed Netscaler appliances.

In response, Citrix has issued a security advisory, urging administrators to patch their Netscaler appliances immediately. The urgency is underscored by observed exploits on unmitigated appliances. For those using the NetScaler ADC and NetScaler Gateway version 12.1, which is end-of-life, upgrading to a supported version is strongly recommended.

Administrators unable to deploy security updates immediately should block network traffic to affected instances and ensure they’re not exposed online. Citrix also advises segregating network traffic to the appliance’s management interface from regular traffic, either physically or logically and recommends against exposing the management interface to the internet to reduce the risk of exploitation.