cbcvebase.
CVE-2023-6548
published 2024-01-17

CVE-2023-6548: Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-24
Exploited in the wild
EPSS
3.19%
86.5th percentile
Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

Affected

22 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adc
citrixcitrix_gateway
citrixnetscaler_adc
citrixnetscaler_application_delivery_controller>= 12.1 < 12.1-55.30212.1-55.302
citrixnetscaler_application_delivery_controller>= 13.0 < 13.0-92.2113.0-92.21
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-37.17613.1-37.176
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-51.1513.1-51.15
citrixnetscaler_application_delivery_controller>= 14.1 < 14.1-12.3514.1-12.35
citrixnetscaler_gateway
citrixnetscaler_gateway>= 13.0 < 13.0-92.2113.0-92.21
citrixnetscaler_gateway>= 13.1 < 13.1-51.1513.1-51.15
citrixnetscaler_gateway>= 14.1 < 14.1-12.3514.1-12.35
citrixxenserver
cloud_software_groupnetscaler_adc>= 12.1-FIPS < 55.30255.302
cloud_software_groupnetscaler_adc>= 12.1-NDcPP < 55.30255.302
cloud_software_groupnetscaler_adc>= 13.0 < 92.2192.21
cloud_software_groupnetscaler_adc>= 13.1 < 51.1551.15
cloud_software_groupnetscaler_adc>= 13.1-FIPS < 37.17637.176
cloud_software_groupnetscaler_adc>= 14.1 < 12.3512.35
cloud_software_groupnetscaler_gateway>= 13.0 < 92.2192.21
cloud_software_groupnetscaler_gateway>= 13.1 < 51.1551.15
cloud_software_groupnetscaler_gateway>= 14.1 < 12.3512.35

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-6548 requires the attacker to be authenticated with low-level privileges and have access to NSIP, CLIP, or SNIP with management interface access — detection should focus on unusual authenticated activity originating from management interface IPs (NSIP/CLIP/SNIP)
  • Monitor for exploitation attempts against the NetScaler management interface specifically; the management interface should not be internet-exposed and traffic to it should be separated physically or logically from normal network traffic
  • Alert on any internet-facing NetScaler management interfaces; Shadowserver data indicates ~1,500 management interfaces are exposed on the internet and are high-priority targets
  • Confirmed in-the-wild exploitation as a zero-day — treat any unpatched NetScaler ADC/Gateway instance running versions before 14.1-12.35, 13.1-51.15, 13.0-92.21, 13.1-FIPS 13.1-37.176, 12.1-FIPS 12.1-55.302, or 12.1-NDcPP 12.1-55.302 as actively targeted
  • Prioritize detection and patching for appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, as these configurations are specifically targeted
  • ·Only customer-managed NetScaler appliances are affected; Citrix-managed cloud services and Citrix-managed Adaptive Authentication are NOT impacted
  • ·NetScaler ADC and NetScaler Gateway version 12.1 is End of Life (EOL) and will not receive patches; customers must upgrade to a supported version
  • ·No public proof-of-concept exploit code was available at initial disclosure, but historical exploitation patterns for Citrix NetScaler suggest PoC may emerge quickly
  • ·CISA mandated FCEB agencies patch CVE-2023-6548 by January 24, 2024 (expedited 1-week deadline vs. the standard 3-week window applied to the companion CVE-2023-6549)

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.