CVE-2023-6548
published 2024-01-17CVE-2023-6548: Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-24
Exploited in the wild
EPSS
3.19%
86.5th percentile
Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adc | — | — |
| citrix | citrix_gateway | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_application_delivery_controller | >= 12.1 < 12.1-55.302 | 12.1-55.302 |
| citrix | netscaler_application_delivery_controller | >= 13.0 < 13.0-92.21 | 13.0-92.21 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-37.176 | 13.1-37.176 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-51.15 | 13.1-51.15 |
| citrix | netscaler_application_delivery_controller | >= 14.1 < 14.1-12.35 | 14.1-12.35 |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway | >= 13.0 < 13.0-92.21 | 13.0-92.21 |
| citrix | netscaler_gateway | >= 13.1 < 13.1-51.15 | 13.1-51.15 |
| citrix | netscaler_gateway | >= 14.1 < 14.1-12.35 | 14.1-12.35 |
| citrix | xenserver | — | — |
| cloud_software_group | netscaler_adc | >= 12.1-FIPS < 55.302 | 55.302 |
| cloud_software_group | netscaler_adc | >= 12.1-NDcPP < 55.302 | 55.302 |
| cloud_software_group | netscaler_adc | >= 13.0 < 92.21 | 92.21 |
| cloud_software_group | netscaler_adc | >= 13.1 < 51.15 | 51.15 |
| cloud_software_group | netscaler_adc | >= 13.1-FIPS < 37.176 | 37.176 |
| cloud_software_group | netscaler_adc | >= 14.1 < 12.35 | 12.35 |
| cloud_software_group | netscaler_gateway | >= 13.0 < 92.21 | 92.21 |
| cloud_software_group | netscaler_gateway | >= 13.1 < 51.15 | 51.15 |
| cloud_software_group | netscaler_gateway | >= 14.1 < 12.35 | 12.35 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-6548 requires the attacker to be authenticated with low-level privileges and have access to NSIP, CLIP, or SNIP with management interface access — detection should focus on unusual authenticated activity originating from management interface IPs (NSIP/CLIP/SNIP) ↗
- →Monitor for exploitation attempts against the NetScaler management interface specifically; the management interface should not be internet-exposed and traffic to it should be separated physically or logically from normal network traffic ↗
- →Alert on any internet-facing NetScaler management interfaces; Shadowserver data indicates ~1,500 management interfaces are exposed on the internet and are high-priority targets ↗
- →Confirmed in-the-wild exploitation as a zero-day — treat any unpatched NetScaler ADC/Gateway instance running versions before 14.1-12.35, 13.1-51.15, 13.0-92.21, 13.1-FIPS 13.1-37.176, 12.1-FIPS 12.1-55.302, or 12.1-NDcPP 12.1-55.302 as actively targeted ↗
- →Prioritize detection and patching for appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, as these configurations are specifically targeted ↗
- ·Only customer-managed NetScaler appliances are affected; Citrix-managed cloud services and Citrix-managed Adaptive Authentication are NOT impacted ↗
- ·NetScaler ADC and NetScaler Gateway version 12.1 is End of Life (EOL) and will not receive patches; customers must upgrade to a supported version ↗
- ·No public proof-of-concept exploit code was available at initial disclosure, but historical exploitation patterns for Citrix NetScaler suggest PoC may emerge quickly ↗
- ·CISA mandated FCEB agencies patch CVE-2023-6548 by January 24, 2024 (expedited 1-week deadline vs. the standard 3-week window applied to the companion CVE-2023-6549) ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w4rw-v3mm-hj8h: [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]
ghsa_unreviewed·2024-01-17
CVE-2023-6548 [MEDIUM] CWE-94 GHSA-w4rw-v3mm-hj8h: [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]
[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]
VulnCheck
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
vulncheck·2023·CVSS 8.2
CVE-2023-6549 [HIGH] CWE-119 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549; https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited; https://www.cisa.gov/sites/default/files/feeds/known_
VulnCheck
Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
vulncheck·2023·CVSS 5.5
CVE-2023-6548 [MEDIUM] CWE-94 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549; https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabiliti
CISA
Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
cisa·2024-01-17·CVSS 8.8
CVE-2023-6548 [HIGH] CWE-94 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
Vulnerability: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
Affected: Citrix NetScaler ADC and NetScaler Gateway
Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549; https://nvd.nist.gov/vuln/detail/CVE-2023-6548
Remediation Due Date: 2024-01-24
Citrix
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549
vendor_citrix·2024-01-16·CVSS 8.8
CVE-2023-6548 [HIGH] CWE-119 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549
Pre-requisites CWE CVE-2023-6548 Authenticated (low privileged) remote code execution on Management Interface Access to NSIP, CLIP or SNIP with management interface access CWE-94 CVE-2023-6549 Denial of Service and Out-Of-Bounds Memory Read Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-119
CVE References: CVE-2023-6548, CVE-2023-6549
Affected Products: Citrix ADC, Citrix Gateway, NetScaler ADC, NetScaler Gateway, XenServer
Severity: High
No detection rules found.
No public exploits indexed.
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Citrix warns admins to manually mitigate PuTTY SSH client bug
blogs_bleepingcomputer·2024-05-09·CVSS 5.9
CVE-2024-31497 [MEDIUM] Citrix warns admins to manually mitigate PuTTY SSH client bug
## Citrix warns admins to manually mitigate PuTTY SSH client bug
## Sergiu Gatlan
Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin's private SSH key.
XenCenter helps manage Citrix Hypervisor environments from a Windows desktop, including deploying and monitoring virtual machines.
The security flaw ( tracked as CVE-2024-31497 ) impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the "Open SSH Console" button.
Citrix says that the PuTTY third-party component has been removed starting with XenCenter 8.2.6, and any versions after 8.2.7 will no longer include it.
"An issue has been
Wiz
Crying Out Cloud - February Newsletter | Wiz
blogs_wiz·2024-02-01·CVSS 9.8
CVE-2023-33246 [CRITICAL] Crying Out Cloud - February Newsletter | Wiz
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Apache RocketMQ RCE vulnerability exploited in-the-wild
In August 2023 researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot, a malware strain last reported about publicly in 2021. On January 5, 2024 Apache stated that the patch for CVE-2023-33246 was in fact insufficient, and an additional CVE was assigned to the bypass - CVE-2023-37582. The latter vulnerability is also being exploited in the wild, so it is recommended to patc
Checkpoint
22nd January – Threat Intelligence Report
blogs_checkpoint·2024-01-22
CVE-2023-34063 22nd January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd January, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Microsoft disclosed that they detected an attack against their systems by Russian state-sponsored actor known as Midnight Blizzard (aka Nobelium). The threat actor used a password spray attack to compromise a legacy non-production test tenant account and then accessed very small percentage of Microsoft corporate email acc
Bleepingcomputer
CISA pushes federal agencies to patch Citrix RCE within a week
blogs_bleepingcomputer·2024-01-17·CVSS 5.5
[MEDIUM] CISA pushes federal agencies to patch Citrix RCE within a week
## CISA pushes federal agencies to patch Citrix RCE within a week
## Sergiu Gatlan
Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week.
The cybersecurity agency added the flaws to its Known Exploited Vulnerabilities Catalog today, saying that such vulnerabilities are "frequent attack vectors for malicious cyber actors" that pose "significant risks to the federal enterprise."
Citrix urged customers on Tuesday to immediately patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow impacting the Netscaler management int
Bleepingcomputer
Citrix warns of new Netscaler zero-days exploited in attacks
blogs_bleepingcomputer·2024-01-16·CVSS 5.5
CVE-2023-6548 [MEDIUM] Citrix warns of new Netscaler zero-days exploited in attacks
## Citrix warns of new Netscaler zero-days exploited in attacks
## Sergiu Gatlan
Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities.
The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively.
However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access.
Also, the appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to Do
Tenable
CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway
blogs_tenable·2024-01-16·CVSS 5.5
[MEDIUM] CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6548
2024-01-17
Published
2024-01-17
Added to CISA KEV
Exploited in the wild