CISA as warned that there is a remote code execution (RCE) vulnerability in Citrix NetScaler which is being exploited by threat actors. They are dropping webshells to organization’s non-production environment and by gaining access they would be able to exfiltrate any Active Directory rata.
One of the affected organizations has reported that the threat actors attempted to move laterally to a domain controller but the network segmentation controls prevented them from accessing the domain controller. (After which the organization reported the activity to CISA and Citrix)
CISA has published an advisory which includes techniques,tactics and procedures to guard against this vulnerability. This vulnerability affects these versions of NetScaler ADC and NetScaler Gateway.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1, now end of life
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
If the affected server is configured as Gateway VPN or authentication, authorization and auditing (AAA) virtual server then it can be exploited by this vulnerability. To prevent the exploitation of this vulnerability, upgrade to the latest version of NetScaler
Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as
possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-
3466, CVE-2023-3467 for patch information.