Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on “unmitigated appliances.” However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.