CVE-2023-6548

What is Citrix NetScaler ADC and Gateway?

Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway (formerly Citrix Gateway, formerly NetScaler) are network appliances that provide application delivery, load balancing, SSL offloading, and SSL VPN remote access for enterprise networks. NetScaler ADC sits in front of application servers managing traffic, while NetScaler Gateway provides secure remote access to internal applications for remote workers. Both are widely deployed in large enterprise, government, healthcare, and financial environments. The management interfaces — NSIP (NetScaler IP, the primary appliance management address), CLIP (Cluster IP for cluster management), and SNIP (Subnet IP) — provide administrative access for configuring the appliance and are intended to be accessible only from trusted management networks, never from the internet.

Overview

CVE-2023-6548 is a code injection vulnerability (CWE-94) in the Citrix NetScaler ADC and NetScaler Gateway management interface that allows an authenticated attacker with access to the management plane to inject code and achieve remote code execution on the appliance. Citrix disclosed it in security bulletin CTX584986 on January 17, 2024 as an actively exploited zero-day — simultaneously published in CVE and added to the CISA KEV catalog. CVE-2023-6548 was disclosed alongside CVE-2023-6549, a denial-of-service vulnerability in the same appliances, both patched in the same CTX584986 update.

The CVSS score (AV:A/PR:L/S:U/C:L/I:L/A:L) reflects the constrained preconditions: the management interface (NSIP/CLIP/SNIP) is adjacent-reachable (not internet-accessible in a correctly configured deployment) and low-privilege authentication is required.

Affected Versions

Note: NetScaler ADC and Gateway 12.1 (non-FIPS/non-NDcPP) reached end-of-life and is not receiving patches.

Technical Details

Code injection (CWE-94) occurs when user-supplied data is incorporated into a code context — such as a shell command, script, or interpreted language expression — without adequate sanitization, allowing the attacker to inject additional code that executes in the application's context. In CVE-2023-6548:

• The vulnerability exists in the NetScaler ADC/Gateway management interface accessible via NSIP, CLIP, or SNIP addresses
• An attacker who has authenticated to the management interface (or whose network position allows reaching it) can submit crafted requests that inject code evaluated by the appliance's management plane
• Successful exploitation achieves code execution with the privileges of the NetScaler management process, which runs at a high privilege level on the appliance OS

The AV:A (adjacent) constraint is critical: a correctly configured NetScaler deployment restricts management interface access to internal management networks or a dedicated out-of-band management VLAN. Organizations that have inadvertently exposed NSIP/CLIP/SNIP to broader networks, or where an attacker has already compromised the management network, face elevated risk.

Discovery

Citrix disclosed CVE-2023-6548 as an actively exploited zero-day — meaning attackers had access to a working exploit before Citrix published the patch. The simultaneous CVE publication, Citrix advisory, and CISA KEV addition on January 17, 2024 reflects a coordinated emergency disclosure. The one-week CISA remediation deadline (January 24) underscores the urgency Citrix and CISA attached to patching.

Exploitation Context

Citrix NetScaler appliances are high-value targets because they sit at critical network junctions — processing all application traffic and providing the SSL VPN gateway for remote access. Compromise of a NetScaler appliance provides:

• Inspection and modification of all traffic flowing through the appliance (including decrypted SSL traffic)
• Access to VPN user session credentials and authentication tokens
• A privileged network position for lateral movement to backend application servers
• Persistent access via backdoors or configuration changes that survive appliance reboots

The adjacent management interface access requirement does not eliminate risk for organizations where the management network has been compromised — attackers with access to a corporate network after phishing or initial access may be able to reach NetScaler management interfaces.

Remediation

1. Apply the CTX584986 patches — upgrade to the fixed firmware versions listed above for your NetScaler ADC/Gateway version; the update patches both CVE-2023-6548 and CVE-2023-6549.
2. Verify management interface network isolation — confirm that NSIP, CLIP, and SNIP are not accessible from untrusted networks, internet-facing segments, or general corporate LAN segments; restrict to dedicated management VLANs or out-of-band networks.
3. Audit management interface access logs for unauthorized authentication attempts or unusual administrative actions that may indicate prior exploitation.
4. Check for persistence mechanisms — review NetScaler configuration for unauthorized admin accounts, unexpected SSL certificates, or policy changes that could indicate compromise.
5. Upgrade end-of-life versions — NetScaler ADC/Gateway 12.1 is end-of-life and will not receive patches; organizations running 12.1 should upgrade to a supported version.