CVE-2023-3519: 
Citrix ADC VPX vulnerability analysis and mitigation

CVE-2023-3519 is an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. The vulnerability was discovered in June 2023 and was initially exploited as a zero-day vulnerability. Citrix released patches for this vulnerability on July 18, 2023. The affected versions include NetScaler ADC and Gateway 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, version 12.1 (now end of life), NetScaler ADC 13.1-FIPS before 13.1-37.159, 12.1-FIPS before 12.1-55.297, and 12.1-NDcPP before 12.1-55.297 (Citrix Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). For successful exploitation, the affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code - 'Code Injection') (NVD CVE).

When exploited, the vulnerability allows attackers to execute unauthorized remote code on affected systems. Threat actors have used this vulnerability to implant webshells, gain root level access to compromised systems, and perform Active Directory enumeration. The compromise enables attackers to collect and exfiltrate sensitive data, including Active Directory information and system configurations (CISA Advisory).

Organizations should immediately install the relevant updated version of NetScaler ADC and NetScaler Gateway as provided by Citrix. Additionally, CISA recommends implementing robust network-segmentation controls on NetScaler appliances and other internet-facing devices. Organizations should also follow best cybersecurity practices, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services (CISA Advisory).