How to find Citrix NetScaler

, by Pearce Barry

Earlier this week, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities include a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations include a critical infrastructure entity in the U.S., where attackers gained access last month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.

What are Citrix NetScaler ADCs and Gateways? #

NetScaler Application Delivery Controller (ADC), formerly known as Citrix ADC, acts in a number of capacities to ensure reliable application delivery to users. This can include load balancing across application servers, off-loading of certain operations, security protections, and policy enforcement.

NetScaler Gateway, formerly known as Citrix Gateway, provides single sign-on (SSO) from any device to multiple applications through a single URL.

What is the impact? #

The three reported vulnerabilities affecting NetScaler ADC and Gateway products are of various types, and each include different preconditions required for exploitation:

  • Unauthenticated remote code execution (CVE-2023-3519; CVSS score 9.8 - “critical”)
    • Successful exploitation requires the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or “authentication, authorization, and auditing” (AAA) virtual server.
  • Reflected cross-site scripting (XSS) (CVE-2023-3466; CVSS score 8.3 - “high”)
    • Successful exploitation requires the victim to be on the same network as the vulnerable NetScaler target when the victim loads a malicious link (planted by the attacker) in their web browser.
  • Privilege escalation to root administrator (nsroot) (CVE-2023-3467; CVSS score 8.0 - “high”)
    • Successful exploitation requires an attacker having achieved command-line access on a vulnerable NetScaler target.

U.S.-based CISA has reported attackers exploiting CVE-2023-3519 to install webshells used in further network exploration and data exfiltration, causing CVE-2023-3519 to be added to CISA’s Known Exploited Vulnerabilities Catalog. Other common attacker goals, like establishing persistence, lateral movement, and malware deployment, are potential outcomes following successful exploitation.

Are updates available? #

Citrix has made patched firmware updates available. Admins should update older firmware on vulnerable NetScaler devices as soon as possible.

CISA has also made additional information available around indicators of compromise and mitigations.

How do I find potentially vulnerable NetScaler instances with runZero? #

From the Asset inventory, use the following prebuilt query to locate NetScaler instances in your network:

hw:netscaler or os:netscaler

NetScaler asset query

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.

You can also use the following query in your Software and Services inventory pages to locate NetScaler software:


NetScaler software query

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable NetScaler instances?

Get started
Learn more about runZero
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

September 29, 2023

How to find WS_FTP Server instances?

How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …

Read More

September 26, 2023

How to find TeamCity instances

How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …

Read More

September 12, 2023

How to find OpenSSL 1.1 instances

How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …

Read More