⚠ Actively exploited

Added to CISA KEV on 2024-01-17. Federal agencies required to patch by 2024-02-07. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-6549 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Software Group Netscaler ADC

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-94 — Code Injection16 documents10 sources

Severity

7.5HIGHNVD

VulnCheck8.2VulnCheck5.5

EPSS

76.5%

top 1.06%

CISA KEV

KEV

Added 2024-01-17

Due 2024-02-07

Exploit

Exploited in wild

Active exploitation observed

Affected products

Cloud Software Group Netscaler ADC Citrix Netscaler Application Delivery Controller Citrix Netscaler Gateway +4 more

Timeline

PublishedJan 17

KEV addedJan 17

KEV dueFeb 7

Latest updateJul 2

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service and Out-Of-Bounds Memory Read

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDcitrix/netscaler_gateway13.0 — 13.0-92.21+2

▶citrixcitrix/netscaler_gateway

▶CVEListV5cloud_software_group/netscaler_adc14.1 — 12.35+5

▶NVDcitrix/netscaler_application_delivery_controller12.1 — 12.1-55.302+4

▶citrixcitrix/netscaler_adc

🔴Vulnerability Details

VulnCheck

Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability↗2023

▶

VulnCheck

Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability↗2023

▶

💥Exploits & PoCs

Nuclei

Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Unauthenticated Out-of-Bounds Memory Read (CVE-2023-6549)↗2025-07-02

▶

📋Vendor Advisories

CISA

Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability↗2024-01-17

▶

Citrix

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549↗2024-01-16

▶

🕵️Threat Intelligence

Tenable

Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends↗2025-04-23

▶

Tenable

Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat↗2025-02-14

▶

Bleepingcomputer

Citrix warns admins to manually mitigate PuTTY SSH client bug↗2024-05-09

▶

Wiz

Crying Out Cloud - February Newsletter | Wiz↗2024-02-01

▶

Bleepingcomputer

CISA pushes federal agencies to patch Citrix RCE within a week↗2024-01-17

▶