CVE-2023-3519
Published: 19 July 2023
Summary
CVE-2023-3519 is a critical-severity Code Injection (CWE-94) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2023-3519 is an unauthenticated remote code execution vulnerability (CWE-94) affecting Citrix ADC and Citrix Gateway appliances. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction, with high impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access can send specially crafted requests that trigger arbitrary code execution on the target appliance, enabling full compromise of the affected system including potential takeover of VPN sessions, authentication flows, or connected infrastructure.
Citrix security bulletin CTX561482 addresses the issue with patches and configuration guidance for supported ADC and Gateway versions; the bulletin is referenced by both vendor and CISA entries. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
Public exploit code is available on Packet Storm, and the vulnerability maintains a very high EPSS score (current 0.9348, peak 0.9659), indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44176
Vulnerability details
Unauthenticated remote code execution
- CWE(s)
- KEV Date Added
- 19 July 2023
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions to block unauthenticated network requests that trigger the RCE.
Restricts network exposure of the vulnerable Citrix ADC/Gateway interfaces to untrusted remote attackers.
Requires timely application of vendor patches that eliminate the unauthenticated code-execution flaw.