● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2023-3519: Citrix NetScaler ADC and Gateway Unauthenticated RCE

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.8, Critical
Actively exploited?	Yes, zero-day used against US critical infrastructure. CISA published a dedicated cybersecurity advisory (AA23-201A).
Affected	NetScaler ADC and NetScaler Gateway versions before 13.1-49.13, 13.0-91.13, and earlier 12.1 / 11.1 builds (12.1 and 11.1 are EOL)
Fixed in	NetScaler ADC/Gateway 13.1-49.13, 13.0-91.13 (and later) per Citrix CTX561482
Type (CWE)	Unauthenticated Remote Code Execution

⚠️ Treat as a forensic event, not just a patch. Exploited as a zero-day before disclosure. CISA documented that one US critical-infrastructure organization had its NetScaler compromised in June 2023, weeks before the patch.

What is CVE-2023-3519?

NetScaler ADC and NetScaler Gateway (formerly Citrix ADC / Citrix Gateway) have an unauthenticated remote code execution vulnerability that requires the appliance to be configured as a Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. An attacker who can reach that virtual server can send a crafted request and execute code on the appliance.

Mandiant's research documented use of this CVE by a suspected China-nexus actor to drop web shells on NetScaler appliances at US defense industrial base targets. The web shells gave persistent access for credential harvesting and lateral movement deep into the target environments.

Am I affected?

You are affected if you run NetScaler ADC or NetScaler Gateway at a build below the fixed version AND have a Gateway or AAA virtual server configured.

Check your NetScaler version: from the CLI:


show version

Or in the GUI: System → Settings → version shown at the top.

If you have any Gateway virtual server in your configuration, the vulnerable code path is reachable:


show vpn vserver
show aaa vserver

Any output here means you have the affected configuration.

How to fix CVE-2023-3519

Open Citrix bulletin CTX561482 and CISA advisory AA23-201A for the exact fixed build and forensic guidance.
Download the patched NetScaler firmware from Citrix Downloads for your model (MPX, VPX, SDX) and train.
Back up the running configuration:


   save config
   show running-config | redirect external

Schedule a maintenance window. NetScaler upgrades reload the appliance, expect 5-10 minutes of unavailability.
Apply the firmware via the GUI or CLI install procedure documented in CTX561482.
For HA pairs, upgrade the secondary first, fail over, upgrade the formerly-primary.

Forensic IoC hunt (CRITICAL)

Per CISA AA23-201A and Mandiant research, any NetScaler running an affected build with a Gateway/AAA virtual server during June-July 2023 should be assumed compromised. Specific IoCs:

Look for unexpected files in /var/vpn/themes/, /netscaler/portal/templates/, and similar web-content directories. Web shells were typically dropped as .php, .pl, or .cgi.
Review ns.log and httpaccess.log for unauthenticated POST requests to Gateway endpoints during the affected window.
Check appliance crash dumps, exploitation sometimes triggered crashes.
Run Citrix's published IoC scanner if available.

If any IoC is present, rotate every credential the NetScaler held (LDAP/AD bind accounts, RADIUS shared secrets, certificate private keys, admin passwords), and consider rebuilding the appliance from a known-good firmware install rather than just patching in place.

Upgrade the Citrix ADC / NetScaler


# Confirm the running build
show ns version

# Stage the patched build from the Citrix advisory: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
shell scp <admin>@<filesvr>:/<patched-build>.tgz /var/nsinstall/
shell tar -xzf /var/nsinstall/<patched-build>.tgz -C /var/nsinstall/
shell /var/nsinstall/installns -Y

# After reboot
show ns version

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2023-3519 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Block external access to all Gateway virtual servers at any upstream firewall while you patch. This breaks user VPN access but closes the vulnerable path.
Disable Gateway and AAA virtual servers if your deployment can tolerate it briefly:


# Vendor advisory: https://support.citrix.com/article/CTX561482/
  disable vpn vserver <name>
  disable aaa vserver <name>

These are bridge controls only.

How to verify the fix worked

show version shows the patched build.
Re-enable Gateway/AAA virtual servers if you disabled them.
Run a vulnerability scan against the Gateway URL. CVE-2023-3519 detection should clear.
The IoC hunt above must come back clean (or be remediated).

Frequently asked questions

Is CVE-2023-3519 actively exploited?

Yes. CVE-2023-3519 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2023-3519?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://support.citrix.com/article/CTX561482/

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official Citrix bulletin CTX561482: https://support.citrix.com/article/CTX561482/
CISA cybersecurity advisory AA23-201A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3519
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from Citrix CTX561482, CISA advisory AA23-201A, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Citrix's bulletin before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2020-8193: Improper Access Control - Generic (CWE-284) — Improper Access Control - Generic (CWE-284)
How to Fix CVE-2020-8195: Improper Input Validation (CWE-20) — Improper Input Validation (CWE-20)
How to Fix CVE-2024-8068: Privilege Escalation in Citrix Citrix Session Recording , Privilege Escalation in Citrix Citrix Session Recording
How to Fix CVE-2023-24489: Citrix ShareFile Customer-Managed Storage Zone RCE , Citrix ShareFile Customer-Managed Storage Zone RCE
How to Fix CVE-2022-27518: Citrix ADC and Gateway Unauthenticated RCE (APT5) , Citrix ADC and Gateway Unauthenticated RCE (APT5)