CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2023-3519 Explained: Citrix NetScaler ADC and Gateway Unauthenticated RCE

A CVSS 9.8 zero-day in Citrix NetScaler ADC and Gateway that allowed unauthenticated remote code execution. Actively exploited before patch release, used to compromise a US critical infrastructure organisation and web-shell thousands of unpatched appliances. Not to be confused with Shitrix (CVE-2019-19781) or Citrix Bleed (CVE-2023-4966).

Sources:NVD|Citrix Security Bulletin CTX561482|CISA Advisory AA23-201A, Threat Actors Exploiting Citrix Software CVE-2023-3519|Shadowserver Foundation, CVE-2023-3519 mass exploitation data
9.8
CVSS Score
2,000+
Appliances backdoored post-patch
0-day
Exploited before patch
None
Authentication required

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway, the network appliances that serve as VPN gateways, load balancers, and application delivery controllers for thousands of enterprise and government organisations. Citrix disclosed the vulnerability on July 18, 2023, with patches for supported versions. CISA simultaneously published an advisory confirming the vulnerability had already been exploited as a zero-day against a critical infrastructure organisation.

The vulnerability requires the appliance to be configured as a Gateway or Authentication, Authorization, and Accounting (AAA) virtual server, which describes the vast majority of Citrix NetScaler deployments, since gateway functionality is the primary use case. After patches were released, mass automated exploitation resulted in over 2,000 appliances being backdoored with web shells within days, affecting organisations that had not yet applied the patch.

Technical Nature of the Vulnerability and Attack Requirements

Citrix has not publicly disclosed the precise technical mechanism of CVE-2023-3519 beyond describing it as an unauthenticated remote code execution in the appliance when configured as a Gateway. Third-party researchers who reverse-engineered the patch identified the vulnerability as a stack buffer overflow in the HTTP handling code for the Gateway virtual server.

The vulnerability is reachable via the standard HTTPS port (443) used for VPN access, the internet-facing port that must be accessible for the appliance to function as a gateway. No authentication, session establishment, or prior interaction with the device is required. The attack requires only a network path to the gateway's external HTTPS interface and knowledge of the exploit primitive.

The prerequisite of Gateway or AAA virtual server configuration is important context: while it prevents exploitation of appliances used purely as load balancers without gateway configuration, the overwhelming majority of internet-facing Citrix NetScaler deployments include gateway functionality, these are the configurations most commonly targeted.

1

Identify Citrix NetScaler appliances with Gateway configured

NetScaler Gateway portals are identifiable by their login page branding, SSL certificate details, and HTTP response characteristics. CISA estimated thousands of unpatched internet-facing appliances at the time of disclosure.

2

Send crafted HTTP request triggering buffer overflow

Send a specially crafted unauthenticated HTTPS request to the Gateway virtual server. The request triggers a stack buffer overflow in the HTTP handler, corrupting the stack frame and redirecting execution.

3

Execute arbitrary code as root on NetScaler

The buffer overflow allows control over execution flow. Shellcode or a ROP chain redirects execution to attacker-controlled code, running as the NetScaler process with root privileges.

4

Drop web shell for persistent access

Attackers consistently dropped web shells in the NetScaler's web-accessible directories, particularly /netscaler/ns_gui/vpn/. The web shell provides a persistent HTTP-accessible command execution interface that survives appliance restarts.

5

Lateral movement to internal network

The NetScaler appliance has network connectivity to all internal segments it load-balances or provides VPN access to. Attackers used this routing access for internal reconnaissance, LDAP queries against Active Directory, and further lateral movement.

The Critical Infrastructure Zero-Day Compromise

CISA's advisory AA23-201A documented a confirmed exploitation case involving a US critical infrastructure organisation in the healthcare sector. The attacker compromised the organisation's internet-facing NetScaler ADC appliance using CVE-2023-3519 before any patch was available.

Post-exploitation activity observed in this case included: executing commands to discover Active Directory objects and organisational units, using LDAP queries to collect Active Directory user data, setting up LDAP monitoring on the ADC to intercept future directory communications, dropping a PHP web shell at /netscaler/ns_gui/vpn/ for persistent access, and conducting Active Directory reconnaissance targeting the internal network reachable through the compromised gateway.

CISA confirmed the attacker attempted lateral movement to the internal domain controller but was blocked by network segmentation. This is a documented case where proper network segmentation, separating the DMZ where the NetScaler resided from the internal Active Directory infrastructure, limited the breach to the perimeter device.

Threat actors exploited this vulnerability as a zero-day to drop a web shell on the victim's non-production environment NetScaler ADC appliance. The web shell enabled the actors to perform discovery on the victim's active directory and collect and exfiltrate AD data.

CISA Advisory AA23-201A, July 2023
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Remediating CVE-2023-3519

Patching is the primary fix. Any device that ran a vulnerable version while internet-accessible requires post-patch investigation, particularly for web shells dropped during the mass exploitation wave.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2023-3519 is the third high-severity Citrix NetScaler/ADC vulnerability in five years to achieve active exploitation before or immediately after disclosure (alongside CVE-2019-19781 Shitrix and CVE-2023-4966 Citrix Bleed). Citrix NetScaler sits at the perimeter of thousands of enterprise and government networks, each exploitation campaign demonstrates that perimeter devices with complex code handling untrusted internet input are a recurring, high-value attack surface.

The mass post-patch web shell campaign is the most operationally important data point: the window between patch release and exploitation completion is measured in hours for widely deployed network appliances. Patch deployment processes that take days or weeks are not adequate for this class of vulnerability.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2023-3519?

CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway. It requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. An unauthenticated attacker exploiting this vulnerability can execute arbitrary code on the appliance.

How is CVE-2023-3519 different from other Citrix vulnerabilities?

CVE-2023-3519 is distinct from CVE-2019-19781 (Shitrix, pre-auth path traversal RCE, 2019) and CVE-2023-4966 (Citrix Bleed, session token theft, 2023). All three are in Citrix NetScaler/ADC products but exploit different code paths and have different impacts. CVE-2023-3519 is the 2023 unauthenticated RCE; Citrix Bleed is the 2023 session hijacking vulnerability.

Was CVE-2023-3519 exploited in the wild?

Yes, as a zero-day before any patch existed. CISA confirmed exploitation against at least one US critical infrastructure organisation, a healthcare provider's NetScaler ADC appliance was compromised, and the attacker used it to move laterally and gather information about the organisation's Active Directory. After patches were released in July 2023, mass automated exploitation backdoored over 2,000 unpatched appliances within days.

Which NetScaler versions are affected by CVE-2023-3519?

Affected versions: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 12.1 (end-of-life, not patched), 12.0 (end-of-life, not patched). Patched versions: 13.1-49.13 or later, 13.0-91.13 or later. Version 12.x must be upgraded to 13.x as no patch is available for EOL branches.

What did attackers do after exploiting CVE-2023-3519?

In the confirmed critical infrastructure compromise documented by CISA, the attacker: discovered Active Directory (AD) objects and OUs, collected AD user data, set up LDAP monitoring, implanted a web shell in /netscaler/ns_gui/vpn/ for persistent access, and attempted lateral movement to the internal network. Post-patch mass exploitation focused primarily on deploying web shells for persistent access to thousands of devices simultaneously.

How do I find and remove web shells left by CVE-2023-3519 exploitation?

CISA confirmed web shells were placed in /netscaler/ns_gui/vpn/ and /var/netscaler/logon/. To detect recently created PHP files: find /netscaler/ns_gui/vpn/ -name '*.php' -newer /netscaler/ns_gui/vpn/index.php and compare against file lists from a clean NetScaler image of the same version. After removing web shells, rotate all local admin passwords, rotate any AD service account credentials the appliance uses, and monitor outbound connections from the ADC IP for 30 days post-remediation. Mass exploitation backdoored over 2,000 devices: if you ran a vulnerable version without confirmed IOC investigation, treat the device as compromised.

Sources & references

  1. NVD
  2. Citrix Security Bulletin CTX561482
  3. CISA Advisory AA23-201A, Threat Actors Exploiting Citrix Software CVE-2023-3519
  4. Shadowserver Foundation, CVE-2023-3519 mass exploitation data

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.