Citrix has released a security bulletin (CTX693420) disclosing two high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances. Depending on the deployment configuration, these vulnerabilities could allow attackers to bypass management access controls or perform memory over-reads.
While Citrix has not confirmed active exploitation in the wild, these flaws are considered critical in environments where the affected systems are exposed to the internet or lack proper segmentation.
The two vulnerabilities disclosed impact NetScaler ADC and NetScaler Gateway as follows:
Both vulnerabilities present significant risk depending on how the NetScaler instance is deployed and whether interfaces are exposed externally or accessible within internal networks.
The following supported versions are affected:
Note: Builds 12.1 and 13.0 are End of Life and will not receive security updates. Organizations running these versions should plan for an immediate upgrade.
Due to the severe risk posed by these vulnerabilities, Systems Engineering is proactively patching clients subscribed to the SE Platform and NetAdmin with NetScalers in their compute environments.
For all other clients, we strongly recommend you update your impacted systems with the latest security patches as soon as possible. Citrix has provided instructions in their security advisory here.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.