CVE-2023-3519

Warning

Exploit

EPSS 88.73%
Published 19.07.2023 18:15:11
Last modified 10.03.2025 20:46:43
Source secure@citrix.com
Teams watchlist Login
Open Login

Unauthenticated remote code execution

Affected products Warnungen 2 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Citrix ≫ Netscaler Application Delivery Controller SwEditionfips Version >= 12.1 < 12.1-55.297

Citrix ≫ Netscaler Application Delivery Controller SwEditionndcpp Version >= 12.1 < 12.1-55.297

Citrix ≫ Netscaler Application Delivery Controller SwEdition- Version >= 13.0 < 13.0-91.13

Citrix ≫ Netscaler Application Delivery Controller SwEditionfips Version >= 13.1 < 13.1-37.159

Citrix ≫ Netscaler Application Delivery Controller SwEdition- Version >= 13.1 < 13.1-49.13

Citrix ≫ NetScaler Gateway Version >= 13.0 < 13.0-91.13

Citrix ≫ NetScaler Gateway Version >= 13.1 < 13.1-49.13

19.07.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability

Vulnerability

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

18.07.2023: CERT.at Warnung

https://www.cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citrixnetscaler-adc-und-gateway-updates-verfugbar

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	88.73%	0.995

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
secure@citrix.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-3519

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-3519

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-3519

EUVD