CVE-2023-3519
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Unauthenticated remote code execution
AnalysisAI
Citrix NetScaler ADC and Gateway contain an unauthenticated remote code execution vulnerability exploited massively in summer 2023, with thousands of appliances compromised before patches were applied.
Technical ContextAI
The code injection vulnerability allows unauthenticated attackers to execute arbitrary code on NetScaler appliances through crafted requests. The flaw exists in the NSPPE (NetScaler Perl Processing Engine) and can be exploited remotely without credentials.
Affected ProductsAI
Citrix NetScaler ADC and Gateway (multiple versions)
RemediationAI
Apply Citrix patches. Assume compromise if running vulnerable versions during the exploitation window. Check for web shells, modified configurations, and unauthorized accounts. Rotate all credentials that transited the appliance.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today