What is Citrix NetScaler ADC and NetScaler Gateway?
Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are widely deployed network appliances that provide SSL VPN remote access, load balancing, application delivery, and web application firewall capabilities. NetScaler Gateway is particularly used by enterprises and government agencies to provide secure remote access to internal applications — replacing or complementing traditional VPN. Because NetScaler Gateway is internet-facing and provides direct access to internal network resources, vulnerabilities in it are high-value targets for threat actors seeking initial access to enterprise networks. Citrix NetScaler products are among the most exploited network appliance categories in CISA KEV.
Overview
CVE-2023-6549 is a pre-authentication buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that allows an unauthenticated remote attacker to cause denial-of-service conditions. The vulnerability only affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. Citrix patched it alongside the more critical CVE-2023-6548 (an authenticated RCE vulnerability) in a January 2024 out-of-band advisory, with CISA adding both to KEV the same day. The low confidentiality impact (C:N) makes DoS the primary impact for this CVE; however, network availability disruption for a VPN gateway that employees depend on for remote access can be operationally severe.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| NetScaler ADC and NetScaler Gateway 14.1 | Before 14.1-12.35 | 14.1-12.35 |
| NetScaler ADC and NetScaler Gateway 13.1 | Before 13.1-51.15 | 13.1-51.15 |
| NetScaler ADC and NetScaler Gateway 13.0 | Before 13.0-92.21 | 13.0-92.21 |
| NetScaler ADC 13.1-FIPS | Before 13.1-37.176 | 13.1-37.176 |
| NetScaler ADC 12.1-FIPS | Before 12.1-55.302 | 12.1-55.302 |
| NetScaler ADC 12.1-NDcPP | Before 12.1-55.302 | 12.1-55.302 |
Note: NetScaler ADC and NetScaler Gateway version 12.1 is end-of-life — organizations on 12.1 must upgrade to a supported version.
Applies only to customer-managed appliances. Citrix-managed cloud services are not affected.
Technical Details
CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The NetScaler appliance handles SSL/TLS and application protocol traffic including the ICA (Independent Computing Architecture) protocol used for Citrix Virtual Apps and Desktops connectivity. A buffer overflow vulnerability in the Gateway or AAA virtual server processing path allows an unauthenticated attacker to send a crafted network packet that overflows a memory buffer, causing the NetScaler process to crash and resulting in denial-of-service.
The appliance configuration requirement (must be configured as a Gateway or AAA virtual server) limits the attack surface compared to a universal pre-auth RCE, but Gateway and AAA configurations represent the most common deployment scenarios for internet-facing NetScaler appliances.
CVE-2023-6549 (buffer overflow DoS) was patched simultaneously with CVE-2023-6548 (authenticated code injection RCE requiring management interface access) in the same advisory. Both had confirmed in-the-wild exploitation, necessitating the same-day KEV addition.
Discovery
Identified by security researchers who reported both CVE-2023-6548 and CVE-2023-6549 to Citrix. Citrix acknowledged in-the-wild exploitation of both vulnerabilities at the time of the advisory.
Exploitation Context
The same-day KEV addition (January 17, 2024) with the Citrix advisory reflects confirmed active exploitation. Citrix NetScaler appliances were the subject of mass exploitation campaigns throughout 2023 — most notably the "Citrix Bleed" vulnerability (CVE-2023-4966) in late 2023. The January 2024 advisory continued this pattern. Threat actors systematically scan for internet-accessible NetScaler appliances and exploit vulnerabilities rapidly after disclosure. A DoS on a VPN gateway that employees require for remote work represents significant business disruption — pushing organizations to patch urgently.
Remediation
- Apply patches per Citrix Security Bulletin CTX584986 — upgrade to the fixed firmware version for your appliance's release line immediately.
- Also apply the fix for companion CVE-2023-6548 (code injection) — both CVEs are addressed in the same firmware update.
- Upgrade from NetScaler ADC/Gateway 12.1 (end-of-life) to a supported version.
- Monitor appliance availability — if experiencing unexpected reboots or crashes, treat it as a potential exploitation indicator and apply patches immediately.
- Review appliance logs for unusual traffic patterns or crash events around the January 2024 disclosure window.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-6549 |
| Vendor / Product | Citrix — NetScaler ADC and NetScaler Gateway |
| NVD Published | 2024-01-17 |
| NVD Last Modified | 2026-02-26 |
| CVSS 3.1 Score | 8.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| Severity | HIGH |
| CWE | CWE-119 find similar ↗ |
| CISA KEV Added | 2024-01-17 |
| CISA KEV Deadline | 2024-02-07 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-01-16 | Citrix releases CTX584986 patching CVE-2023-6548 (RCE) and CVE-2023-6549 (DoS buffer overflow) — in-the-wild exploitation confirmed for both |
| 2024-01-17 | CISA adds both CVE-2023-6548 and CVE-2023-6549 to Known Exploited Vulnerabilities catalog same day as Citrix advisory |
| 2024-02-07 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Citrix Security Bulletin CTX584986 — CVE-2023-6548 and CVE-2023-6549 | Vendor Advisory |
| NVD — CVE-2023-6549 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |