CVE-2023-3519
CVE-2023-3519 is a critical-severity vulnerability in Citrix Netscaler Application Delivery Controller with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-07-19). The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-07-19)
- EU (EUVD) id: EUVD-2023-44176
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-07-19)
- Weakness: CWE-94
- Affected product: Citrix Netscaler Application Delivery Controller
- Published:
- Last modified:
Description
Unauthenticated remote code execution
CVE-2023-3519: Citrix ADC and NetScaler Gateway Unauthenticated RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-3519 |
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-94: Improper Control of Generation of Code (Code Injection) |
| EPSS | 0.99445 (99.94th percentile) |
| KEV | Yes (CISA catalog, added 2023-07-19) |
| EUVD | EUVD-2023-44176 |
Summary
CVE-2023-3519 is a critical unauthenticated remote code execution vulnerability in Citrix ADC and NetScaler Gateway appliances. The flaw allows remote attackers to execute arbitrary code without credentials, exposing affected organizations to full system compromise.
Background
Citrix ADC (formerly NetScaler ADC) and NetScaler Gateway are widely deployed networking appliances for load balancing, application delivery, and secure remote access. In mid-2023, Citrix disclosed a critical security bulletin (CTX561482) addressing multiple vulnerabilities, including CVE-2023-3519, which has been exploited in the wild before and after disclosure.
Root Cause
The vulnerability is classified under CWE-94: Improper Control of Generation of Code (Code Injection). The affected gateway component fails to properly sanitize incoming requests, allowing an attacker to inject and execute arbitrary code on the appliance. This represents a failure in input validation and secure coding practices within the request handling logic.
Impact
The CVSS 3.1 score of 9.8 (CRITICAL) reflects the severity:
- Attack Vector (AV): Network — Exploitable remotely over the internet.
- Attack Complexity (AC): Low — No special conditions or advanced techniques required.
- Privileges Required (PR): None — Unauthenticated exploitation.
- User Interaction (UI): None — No user action needed.
- Scope (S): Unchanged — The vulnerable component is the impacted component.
- Confidentiality, Integrity, Availability (C/I/A): All High — Full compromise of the appliance, including data theft, configuration tampering, and service disruption.
Exploitation Walkthrough
Ethics and Legal Notice: This section describes the vulnerability mechanics at a high level for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.
The exploitation vector involves an unauthenticated attacker sending a specially crafted HTTP request to a vulnerable Citrix Gateway or ADC endpoint. The flaw allows the attacker to bypass authentication and execute arbitrary commands on the underlying operating system. Because the appliances often sit at the network perimeter and proxy traffic to internal resources, successful exploitation can pivot to the internal network.
Defensive teams should focus on:
- Monitoring for anomalous HTTP request patterns to gateway endpoints (e.g.,
/gw/,/vpn/). - Baseline network traffic from ADC appliances and alert on unexpected outbound connections.
- Review appliance logs for suspicious process execution or file system modifications.
Affected and Patched Versions
The available vulnerability data identifies the following product lines as affected:
- Citrix NetScaler Application Delivery Controller (ADC) — FIPS edition
- Citrix NetScaler Application Delivery Controller (ADC) — NDcPP edition
- Citrix NetScaler Application Delivery Controller (ADC) — standard edition
- Citrix NetScaler Gateway
Specific vulnerable and patched version ranges were not provided in the source data. Administrators should consult the Citrix security bulletin CTX561482 for authoritative version guidance and patch availability.
Remediation
- Patch Immediately: Apply the security updates provided by Citrix as detailed in bulletin CTX561482. Given the active exploitation status, patching should be treated as an emergency change.
- Compensating Controls: If immediate patching is not feasible:
- Place the appliance behind a Web Application Firewall (WAF) with virtual patching rules.
- Restrict gateway access to trusted IP ranges via network segmentation or VPN enforcement.
- Disable unnecessary gateway features and interfaces.
- Monitor for indicators of compromise using the detection guidance below.
- Post-Remediation: After patching, rotate all credentials and API keys stored or processed by the appliance, and conduct a forensic review to confirm the system was not compromised prior to remediation.
Detection
- Network: Monitor for abnormal HTTP requests containing unexpected characters or oversized payloads to gateway endpoints.
- Host: Alert on unexpected process execution (e.g., shell or script interpreters spawned by the gateway service) on the appliance.
- Behavioral: Look for outbound connections from the ADC to unexpected external IPs, which may indicate reverse shells or data exfiltration.
- Logs: Correlate gateway access logs with authentication events; the vulnerability is unauthenticated, so any successful gateway action without prior authentication may be suspicious.
Assessment
With an EPSS score of 0.99445 and inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2023-07-19), this vulnerability presents an exceptionally high likelihood of active exploitation. The EUVD also lists it as exploited since 2023-07-19.
Key lessons:
- Perimeter appliances are high-value targets. A single unauthenticated RCE in a gateway device can bypass entire network security architectures.
- Speed matters. The gap between disclosure and exploitation was minimal; organizations must maintain emergency patching capabilities for edge infrastructure.
References
- http://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-3519
Frequently asked questions
- What is CVE-2023-3519?
- Unauthenticated remote code execution
- How severe is CVE-2023-3519?
- CVE-2023-3519 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-3519 being actively exploited?
- Yes. CVE-2023-3519 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-07-19, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-3519?
- CVE-2023-3519 primarily affects Citrix Netscaler Application Delivery Controller. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-3519?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-3519 have an EU (EUVD) identifier?
- Yes. CVE-2023-3519 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-44176. It is also flagged as exploited in the EUVD (since 2023-07-19).
- When was CVE-2023-3519 published?
- CVE-2023-3519 was published on 2023-07-19 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-3519
Affected products (4)
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
More vulnerabilities in Citrix Netscaler Application Delivery Controller
- CVE-2014-2882 — Critical (CVSS 10.0): Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler…
- CVE-2014-2881 — Critical (CVSS 10.0): Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in…
- CVE-2026-8655 — Critical (CVSS 9.8): Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous…
- CVE-2026-8452 — Critical (CVSS 9.8): Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and…
- CVE-2026-3055 — Critical (CVSS 9.8): Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading…
- CVE-2025-7776 — Critical (CVSS 9.8): Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC…
All CVEs affecting Citrix Netscaler Application Delivery Controller →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.