On July 18, 2023, Citrix published a security bulletin for three vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway. The most critical was CVE-2023-3519, a code injection vulnerability with a CVSS score of 9.8 that allowed unauthenticated remote code execution. By the time the patch dropped, attackers had already been exploiting it in the wild.
The Vulnerability
CVE-2023-3519 is a code injection flaw in Citrix NetScaler ADC and Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. The vulnerability exists in the handling of specific requests to the appliance, allowing an unauthenticated attacker to execute arbitrary code on the device.
The affected versions included:
- NetScaler ADC and Gateway 13.1 before 13.1-49.13
- NetScaler ADC and Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
NetScaler ADC and Gateway version 12.1, which had reached end of life, was also vulnerable but would not receive a patch.
Exploitation Timeline
The exploitation of CVE-2023-3519 began before Citrix's public disclosure. Reports indicate that threat actors were exploiting the vulnerability as early as June 2023, giving them roughly a month of undetected access.
June 2023: Initial exploitation begins. Attackers deploy web shells on compromised NetScaler appliances to maintain persistent access.
July 18, 2023: Citrix publishes security bulletin CTX561482, urging immediate patching.
July 19, 2023: CISA adds CVE-2023-3519 to the Known Exploited Vulnerabilities (KEV) catalog and issues an alert detailing observed exploitation against a critical infrastructure organization.
July 21, 2023: CISA releases detailed indicators of compromise and forensic analysis guidance.
August 2023: The Shadowserver Foundation reports that thousands of Citrix NetScaler appliances remain unpatched, with hundreds confirmed as having web shells deployed.
How the Attacks Worked
The typical attack chain observed in the wild followed this pattern:
Step 1: Exploitation. Attackers sent specially crafted requests to the vulnerable NSIP (NetScaler IP) to achieve code execution. The exploit did not require authentication, making it trivially exploitable once a working proof-of-concept was developed.
Step 2: Web shell deployment. Once code execution was achieved, attackers dropped PHP web shells into the web-accessible directories of the NetScaler appliance. These web shells provided persistent access even if the vulnerability was later patched.
Step 3: Discovery and lateral movement. From the compromised NetScaler appliance, attackers performed Active Directory enumeration using tools like ad.py and collected data from the NetScaler configuration, including encrypted passwords and session tokens.
Step 4: Data exfiltration. In the CISA-reported incident, attackers exfiltrated Active Directory data and attempted to move laterally to domain controllers. The NetScaler appliance's position at the network edge, combined with its role in VPN authentication, gave attackers access to credentials and session data for the entire organization.
The Scale of the Problem
Citrix NetScaler appliances sit at the network edge of thousands of enterprises and government agencies worldwide. Shodan scans in July 2023 identified over 15,000 NetScaler appliances exposed to the internet, many running vulnerable versions.
The Shadowserver Foundation's scan in August found approximately 2,000 NetScaler appliances that had been backdoored with web shells. Fox-IT (part of NCC Group) later published research indicating that the number was even higher, identifying over 2,400 compromised servers.
Critically, many organizations that patched their appliances did not check for existing compromises. Patching closes the door, but it doesn't evict an attacker who's already inside.
CISA's Response
CISA's involvement was notable for its speed and detail. The agency published:
- An advisory with detailed forensic findings from a real incident at a critical infrastructure organization
- Indicators of compromise including file hashes, IP addresses, and detection signatures
- Guidance for checking whether a NetScaler appliance had been compromised
- Recommendations for incident response if compromise was confirmed
CISA also ordered all federal civilian agencies to patch or mitigate the vulnerability by August 9, 2023, through its Binding Operational Directive (BOD) 22-01.
Lessons Learned
Network edge devices are prime targets. VPN gateways, load balancers, and other network appliances are exposed to the internet by design. A pre-authentication vulnerability in these devices gives attackers a foothold inside the network perimeter without any user interaction.
Patching alone is insufficient after active exploitation. Organizations that patched CVE-2023-3519 without checking for web shells or other indicators of compromise left backdoors in place. Post-patch forensic analysis is essential.
End-of-life software creates unacceptable risk. NetScaler ADC 12.1 was vulnerable and received no patch. Organizations running EOL software on their network perimeter are accepting a level of risk that most can't afford.
Asset inventory is foundational. You can't patch what you don't know about. Many organizations discovered NetScaler appliances they didn't know were running during the response to CVE-2023-3519.
How Safeguard.sh Helps
Safeguard.sh helps organizations maintain continuous visibility into their software and infrastructure inventory, including network appliances like Citrix NetScaler. Our platform cross-references your asset inventory against the CISA Known Exploited Vulnerabilities catalog and vendor security bulletins in real time, ensuring you're alerted the moment a critical vulnerability is disclosed for software in your environment. Safeguard.sh also tracks end-of-life software across your infrastructure, flagging assets that will no longer receive security updates before they become liabilities.