Connect with us

Hi, what are you looking for?



Citrix Patches Critical NetScaler ADC, Gateway Vulnerability

Citrix has released patches for a critical information disclosure vulnerability in NetScaler ADC and NetScaler Gateway.

Citrix on Tuesday announced patches for a critical-several vulnerability impacting multiple versions of NetScaler Application Delivery Controller (ADC) and NetScaler Gateway.

Tracked as CVE-2023-4966 (CVSS score of 9.4), the security defect could lead to sensitive information disclosure, the tech giant notes in an advisory.

According to Citrix, the issue can be exploited without authentication on appliances that are configured as a Gateway or an AAA virtual server.

The flaw affects NetScaler ADC and NetScaler Gateway versions 14.1, 13.1, 13.0, and NetScaler ADC 13.1-FIPS, 12.1-FIPS, and 12.1-NDcPP.

Citrix has released NetScaler ADC and NetScaler Gateway versions 14.1-8.50, 13.1-49.15, 13.0-92.19, and NetScaler ADC 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300 to address the vulnerability.

“NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities,” Citrix says.

The company also notes that only customer-managed NetScaler ADC and Gateway products are impacted and should be updated to a patched release.

The updates also address a high-severity denial-of-service (DoS) flaw – CVE-2023-4967, CVSS score of 8.2 – impacting products configured as gateways or AAA virtual servers.

Advertisement. Scroll to continue reading.

On Tuesday, Citrix also announced hotfixes for five vulnerabilities in Citrix Hypervisor 8.2 CU1 LTSR that could allow malicious code running in a guest VM to compromise the host, crash the host, crash another VM running on the host, or access information from code running on the same CPU core.

Four of these issues (CVE-2023-20588, CVE-2023-34324, CVE-2023-34326, and CVE-2023-3432) only impact systems running on AMD CPUs, while the fifth (CVE-2022-1304) can only be exploited when a host administrator uses a restore sub-option in the on-host xsconsole interface.

“Note that there is not a one-to-one correlation between these hotfixes and the addressed issues; we recommend that you always apply all of the hotfixes,” the tech giant’s advisory reads.

Citrix makes no mention of any of these vulnerabilities being exploited in the wild, but threat actors are known to have targeted publicly disclosed NetScaler ADC and Gateway vulnerabilities in malicious attacks.

The US cybersecurity agency CISA warns that attackers could exploit one of these vulnerabilities to take control of affected systems and encourages administrators to review Citrix’s advisories and apply the necessary patches.

Related: Credential Harvesting Campaign Targets Unpatched NetScaler Instances

Related: Exploitation of Citrix ShareFile Vulnerability Spikes as CISA Issues Warning

Related: Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.