The State of Citrix Zero-Day Vulnerabilities 2023
Tally Netzer
Critical zero-day Citrix CVE-2023-3519 is still being exploited two months after Citrix released a patch. IONIX research found that 19% of the CVE-2023-3519 vulnerabilities are still unmitigated in comparison to only 3% among IONIX customers. In addition, IONIX customers were able to resolve this critical risk three times faster.
Responding to critical zero-day vulnerabilities
Zero-day vulnerabilities represent a significant challenge for enterprises. Even when a patch is available and the vulnerability is a critical one, the time it takes for enterprises to patch them can vary widely. A case in point is the infamous Log4j vulnerability, which was leveraged to breach companies six and even 12 months later.
While not nearly as prevalent, Citrix CVE-2023-3519 offers another example of a critical vulnerability that has been weaponized and exploited in the wild. With the first victim reporting the breach to CISA and vendor in July 2023, Citrix quickly rose to the challenge and delivered a patch on July 18. Shortly after, on Aug 1, an exploit POC was published on GitHub and the race was truly on.
Two months later, IONIX research went back to survey the state of the Citrix Attack Surface. In this post we will chronicle Citrix vulnerabilities across the summer and fall of 2023. We will dive into details, timelines and where we are now – after two months.
Citrix CVE-2023-3519 and Other Citrix Vulnerabilities’ Patch
Summer of 2023 was a tough one for Citrix. NetScaler (referred to as Citrix ADC in previous versions) and Citrix Gateway appliances were plagued by multiple zero-day vulnerabilities. It started with two medium severity vulnerabilities in early May 2023, CVE-2023-24488 and CVE-2023-24487 (see the Citrix CVE chart below for more details).
Then, in July 2023 three additional, severe vulnerabilities were published. Vulnerability CVE-2023-3519 critical severity with 9.8 CVSS, and two high severity vulnerabilities CVE-2023-3466, CVE-2023-3467.
Citrix Exploit PoCs
In July 2023, the first victim, a critical infrastructure organization, came forward. The organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519.
In August 2023, a PoC for CVE-2023-3519 was published on Github and the race intensified. Shortly after, following information about TTPs and IOCs from an additional victim and third parties, CISA published an update. This time, the threat actors implanted a webshell, gained root level access to the compromised system, and performed discovery against the Active Directory (AD).
Citrix Zero Day 2023 – Attack Surface Research
Starting from the initial release, IONIX research tracked the Citrix Attack Surface for IONIX customers and a sample of additional organizations. Over this time, the average attack surface was 4.5 instances per organization. The number of appliances for larger enterprises was in double digits with the largest ones having over 30 instances.
In the 2nd half of September, IONIX research re-analyzed the Citrix Attack Surface to verify that our customers have addressed their critical vulnerabilities. In addition, we wanted to examine the differences in close rates and the time to remediation.
The State of Citrix Vulnerabilities – Research Findings
Our research team found that among IONIX customers, only 3% of the Citrix CVEs remained open after 2 months. Among other organizations, the percentage of unmitigated CVEs was more than six times higher at 19%.
IONIX customers were also able to execute vulnerabilities assessments and resolve those vulnerabilities three times faster than other organizations. Mean time to resolution (MTTR) among our customers was 17 days on average in comparison to 56 days on average for other organizations.
| IONIX Customers | Other orgs* | |
| Still open | 3% | 19% |
| Days to close (average) | 17 | 56 |
*The results are based on a sample of organizations across multiple verticals and global representation.
Accelerating Zero Day Response
IONIX ASM provides our customers with a focused view of the zero-day attack surface. This allows them to identify all relevant assets across their entire attack surface inventory, filtered based on technology and versions (where possible).
The IONIX research team leverages published exploits and techniques to validate exploitability from the attacker’s point of view. With a clear view of the precise attack surface and actionable remediation steps for IT teams, IONIX ASM accelerates the response to zero days, helping to effectively mitigate these risks as they emerge.
Citrix ADC Vulnerability Timeline
- May 9, 2023 Citrix patch published in a security bulletin for CVE-2023-24487, CVE-2023-24488.
- July 4, 2023 A PoC was published for the vulnerability on github.
- July 18, 2023, Citrix patch published in a security bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467.
- July 20, 2023 CISA Releases Cybersecurity Advisory on Threat Actors Exploiting Citrix CVE-2023-3519
- August 1, 2023, PoC was published for critical vulnerability CVE-2023-3519 on github.
- September 6, 2023 CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Citrix CVE Descriptions and Details
| CVE ID | Description | Pre-requisites | CVSS |
| CVE-2023-24488 | Cross site scripting | Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | 6.1 |
| CVE-2023-24487 | Arbitrary file read | Access to NSIP or SNIP with management interface access | 6.3 |
| CVE-2023-3466 | Reflected Cross-Site Scripting (XSS) | Requires victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP | 8.3 |
| CVE-2023-3467 | Privilege Escalation to root administrator (nsroot) | Authenticated access to NSIP or SNIP with management interface access | 8 |
| CVE-2023-3519 | Unauthenticated remote code execution | Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | 9.8 |
FAQ
What is Citrix CVE-2023-3519?
CVE-2023-3519 could allow an unauthenticated threat actor to trigger a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe) process by sending a specially crafted HTTP GET request. Since the nsppe runs as root, successful exploitation would likely result in arbitrary code execution as the ‘root’.
What is Citrix Gateway?
Citrix Gateway is a full SSL VPN solution that provides users with access to network resources. With both full tunnel VPN as well as options for clientless VPN, users can access applications and data deployed on-premises, or in a cloud environment.
What is Citrix ADC?
Application delivery controllers (ADCs) are purpose- built networking appliances whose function is to improve the performance, security, and resiliency of application delivery.
Is Citrix ADC the same as NetScaler?
Although Citrix ADC is now NetScaler, older releases may still be referred to as Citrix ADC.
Citrix CVE – Are You Still Vulnerable?
Are you wondering if your organization is still exposed to CVE-2023-3519 exploits or other Citrix ADC CVEs? Request a free scan from IONIX and find out.
