Networking equipment maker Citrix has released security updates to address three vulnerabilities in its NetScaler ADC and NetScaler Gateway products, including a zero-day vulnerability actively exploited by hackers.

Tracked as CVE-2023-3519, said zero-day is a code injection issue that can lead to remote code execution.

The vendor didn’t share details regarding the attacks the zero-day was exploited in, only saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed.”

Two other flaws (CVE-2023-3466 and CVE-2023-3467) patched by Citrix are cross-site scripting and improper access control issue that could be used by a remote hacker to carry out cross-site scripting (XSS) attacks or escalate privileges on the system.

The vulnerabilities affect the following NetScaler ADC and NetScaler Gateway versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases

• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0

• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS

• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS

• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Users are recommended to apply patches as soon as possible.