Cyber Resilience

CVE-2023-6549

HighCISA KEVActive ExploitationEUVD Exploited

Published: 17 January 2024

Published
17 January 2024
Modified
26 February 2026
KEV Added
17 January 2024
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.8232 99.2th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6549 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer, tracked as CWE-119, that affects NetScaler ADC and NetScaler Gateway. The flaw permits an unauthenticated remote attacker to trigger a denial of service and perform an out-of-bounds memory read, reflected in its CVSS 3.1 score of 8.2 with network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can send crafted requests that exploit the memory-handling defect, resulting in service disruption and limited information disclosure through the out-of-bounds read. No authentication or user interaction is needed, enabling remote exploitation against exposed appliances.

Citrix has published security bulletin CTX584986 that addresses both CVE-2023-6548 and CVE-2023-6549, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and the need for prompt remediation through the vendor-supplied updates.

The associated EPSS score stands at 0.8024 with an identical peak value, indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service and Out-Of-Bounds Memory Read

CWE(s)
KEV Date Added
17 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
netscaler application delivery controller
12.1 — 12.1-55.302 · 12.1 — 12.1-55.302 · 13.0 — 13.0-92.21
citrix
netscaler gateway
13.0 — 13.0-92.21 · 13.1 — 13.1-51.15 · 14.1 — 14.1-12.35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of network-supplied inputs to NetScaler to ensure all operations stay within allocated memory buffer bounds, directly blocking the crafted requests that trigger the CWE-119 flaw.

prevent

Requires hardware or software memory protection mechanisms that detect and block out-of-bounds reads/writes, mitigating the exact buffer violation exploited for unauthenticated DoS.

prevent

Mandates denial-of-service protection controls that limit the impact of resource exhaustion caused by the out-of-bounds memory read on NetScaler ADC/Gateway.

References