Skip to main content

CVE-2023-3519

CRITICAL
Code Injection (CWE-94)
2023-07-19 secure@citrix.com
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Oct 24, 2025 - 13:42 cisa
CISA KEV
EUVD Exploitation Confirmed
Oct 24, 2025 - 13:42 euvd
EUVD KEV
PoC Detected
Oct 24, 2025 - 13:42 vuln.today
Public exploit code
CVE Published
Jul 19, 2023 - 18:15 nvd
CRITICAL 9.8

DescriptionNVD

Unauthenticated remote code execution

AnalysisAI

Citrix NetScaler ADC and Gateway contain an unauthenticated remote code execution vulnerability exploited massively in summer 2023, with thousands of appliances compromised before patches were applied.

Technical ContextAI

The code injection vulnerability allows unauthenticated attackers to execute arbitrary code on NetScaler appliances through crafted requests. The flaw exists in the NSPPE (NetScaler Perl Processing Engine) and can be exploited remotely without credentials.

Affected ProductsAI

Citrix NetScaler ADC and Gateway (multiple versions)

RemediationAI

Apply Citrix patches. Assume compromise if running vulnerable versions during the exploitation window. Check for web shells, modified configurations, and unauthorized accounts. Rotate all credentials that transited the appliance.

Share

CVE-2023-3519 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy