Part of Citrix’s solution line-up, Citrix ADC (formerly NetScaler ADC) is an application delivery and load balancing solution.

In March 2023, two of Resillion’s ethical hackers (Jorren Geurts & Wouter Rijkbost) identified a vulnerability within Citrix ADC that allowed anyone with access to the management interface to escalate their privileges up to root. Essentially giving them full control over the system, which could be used to gain access to sensitive data, disrupt business processes, run malicious commands, install malware, and gain further access into the network. The vulnerability was disclosed to Citrix on March 15, 2023 under their Responsible Disclosure program.

Read more about the vulnerability here: Resillion Citrix Vulnerability Report

On July 18, 2023, the following CVE was assigned: CVE-2023-3467.

Affected versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.