25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Citrix Patches 2 Actively Exploited NetScaler ADC and Gateway Zero Days

Posted By on Jan 19, 2024

Two zero-day vulnerabilities have been identified in customer-managed Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices that are being exploited in the wild. The vulnerabilities are present in the NetScaler management interface can be exploited in unpatched devices that are exposed to the Internet.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, and while attacks have been limited, CISA warns that the vulnerabilities are frequent attack vectors for malicious cyber actors and exploitation is likely to increase in the coming days. In December, Citrix released an advisory about a vulnerability dubbed CitrixBleed (CVS-2023-4966) which has been extensively exploited by ransomware groups. As such, CISA has advised all federal agencies to ensure the patches are applied as soon as possible and at most within a week.

The two recently disclosed zero-day bugs are unrelated to CitrixBleed.  CVE-2023-6549 is a high-severity buffer overflow vulnerability with a CVSS base score of 8.2. The flaw can be exploited in a denial-of-service attack. CVE-2023-6548 is a medium-severity code injection vulnerability with a CVSS base score of 5.5, which can be exploited to achieve remote code execution. In order to exploit the latter, an attacker would need to be authenticated but only requires low-level privileges.

The vulnerabilities are far less severe than CitrixBleed, nonetheless, customers have been advised to promptly apply the patches as the vulnerabilities are under active exploitation. Proof-of-concept exploit code is not believed to have been publicly released but that is likely to happen soon and exploitation will increase considerably.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities are present in the following NetScaler ADC and NetScaler Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Citrix has released patches to fix both vulnerabilities and has suggested a workaround if that is not possible.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist