Networking equipment maker Citrix has released security updates to address three vulnerabilities in its NetScaler ADC and NetScaler Gateway products, including a zero-day vulnerability actively exploited by hackers.
Tracked as CVE-2023-3519, said zero-day is a code injection issue that can lead to remote code execution.
The vendor didn’t share details regarding the attacks the zero-day was exploited in, only saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed.”
Two other flaws (CVE-2023-3466 and CVE-2023-3467) patched by Citrix are cross-site scripting and improper access control issue that could be used by a remote hacker to carry out cross-site scripting (XSS) attacks or escalate privileges on the system.
The vulnerabilities affect the following NetScaler ADC and NetScaler Gateway versions:
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Users are recommended to apply patches as soon as possible.