CVE-2024-6235: NetScaler Console Flaw Enables Admin Access, PoC Publishes

A critical vulnerability—CVE-2024-6235—in Citrix NetScaler Console has been dissected by security researcher chutton-r7, revealing a severe unauthenticated session hijack that enables attackers to create admin accounts by exploiting an internal API. Though categorized under “information disclosure,” the real-world impact is far more dangerous, earning the flaw a CVSSv4 score of 9.4.

“The vulnerability allows an unauthenticated attacker to obtain an admin-level session ID from an internal API and use this to create other admin users on the system,” confirms Rapid7.

Citrix originally provided scant details in their advisory, citing CWE-287: Improper Authentication. Rapid7’s research team reverse-engineered the fixed (v14.1-29.63) and vulnerable (v14.1-8.50) versions to uncover the heart of the issue: an internal API endpoint leaking administrative session tokens without proper authentication.

By sending a simple GET request to: /internal/v2/config/mps_secret/ADM_SESSIONID …alongside the headers:

Tenant-Name: Owner
User-Name: nsroot
Mps-Internal-Request: true

…attackers could obtain an active session token that grants full admin privileges.

“The API returned a response code of 200 and what looked suspiciously like a NetScaler Console session ID…”, the report notes.

Armed with the session ID, the researchers then harvested another required parameter, rand_key, from the NetScaler admin panel HTML. With both pieces in place, they successfully created a new admin user. Security researchers successfully developed a proof-of-concept (PoC) script to automate the exploitation process. This script retrieves a session ID from the internal API, acquires the rand_key, and creates a new super admin user.

The issue was fixed in version 14.1-25.53, which enforces proper authentication and now returns a 401 Unauthorized response to such API calls.

The successful exploitation of CVE-2024-6235 allows attackers to gain full administrative control of affected NetScaler Console instances.

A unique log entry acts as a red flag for exploitation attempts:

MPSHTTPRequestHandler::get_internal_service_sessionId session id is not present in Redis, generating new.

This debug message was not seen during normal operation and only appears during exploitation, making it a reliable IOC.

Citrix has addressed this vulnerability in NetScaler Console version 14.1-25.53, released in July 2024. Organizations using vulnerable versions are strongly advised to update to the patched version immediately and implement a robust patch management strategy. Additionally, the report advises against exposing NetScaler Console instances to the public internet.

Related Posts:

• Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
• Citrix NetScaler Under Siege: Significant Increase in Brute Force Attacks Observed
• CVE-2024-12284 in NetScaler Console Exposes Systems to Unauthorized Command Execution
• Citrix Issues Critical Security Advisory for NetScaler: CVE-2024-6235 and CVE-2024-6236