CVE-2023-6548 Citrix CVE debrief

Who should care

Administrators and security teams responsible for Citrix NetScaler ADC and NetScaler Gateway deployments, especially internet-facing appliances and the teams that manage patching, mitigation, and exposure review.

Technical summary

The supplied sources identify this issue as a code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway. CISA’s KEV listing confirms it is known to be exploited in the wild and directs defenders to use vendor mitigations or stop using the product if mitigations cannot be applied.

Defensive priority

Critical. KEV inclusion means active exploitation risk should be assumed and remediation should be accelerated to the shortest practical window.

Recommended defensive actions

• Confirm whether any Citrix NetScaler ADC or NetScaler Gateway systems are in scope, including externally exposed instances.
• Review Citrix’s security bulletin for CVE-2023-6548 and apply the vendor’s mitigations as soon as possible.
• If mitigations are unavailable for a deployed instance, follow CISA guidance and discontinue use of the product.
• Prioritize these systems ahead of routine maintenance because the vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog.
• Increase monitoring around the affected appliances for unusual administrative activity or signs of compromise.

Evidence notes

CISA’s Known Exploited Vulnerabilities entry for CVE-2023-6548 lists Citrix NetScaler ADC and NetScaler Gateway, marks the issue as a code injection vulnerability, sets the KEV dateAdded to 2024-01-17 and dueDate to 2024-01-24, and instructs defenders to apply vendor mitigations or discontinue use if mitigations are unavailable. The source notes reference the Citrix security bulletin at https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549.

Official resources