NetScaler Vulnerabilities: What South African Businesses Must Do Now

CVE-2023-3519: Unauthenticated Remote Code Execution

In July 2023, Citrix disclosed CVE-2023-3519, a critical remote code execution (RCE) vulnerability affecting NetScaler ADC and NetScaler Gateway. With a CVSS score of 9.8, it allowed an unauthenticated attacker to execute arbitrary code on the appliance — without requiring any credentials or user interaction. Exploitation was confirmed in the wild before the patch was widely applied.

Organisations that had not applied the patch within days of release were compromised. Web shells were planted on perimeter devices, enabling persistent access that persisted even after reboot in some cases.

CVE-2023-4966: "Citrix Bleed"

Later in 2023, "Citrix Bleed" (CVE-2023-4966) proved even more damaging. This information disclosure vulnerability allowed attackers to extract valid session tokens directly from the memory of an unpatched NetScaler appliance — without any authentication. Those tokens could then be replayed to bypass multifactor authentication (MFA) entirely and hijack active user sessions.

Citrix Bleed was weaponised at scale by the LockBit ransomware group and several affiliated threat actors. Healthcare networks, legal firms, and financial institutions were among the affected organisations globally. The vulnerability had a CVSS score of 9.4 and required no user interaction to exploit.

Critically, applying the patch alone was not sufficient. Active sessions on compromised appliances had to be terminated and tokens invalidated — a step that many organisations overlooked, leaving attackers with persistent access even after patching.

A Pattern, Not an Anomaly

CVE-2023-3519 and Citrix Bleed are not isolated incidents. NetScaler has had multiple critical vulnerabilities disclosed across 2023 and 2024, and security researchers continue to identify new attack surfaces. Organisations that treat Citrix patching as a low-priority quarterly activity are taking on significant, measurable risk.

1. Patch Immediately and Completely

Check your NetScaler firmware version against Citrix's current security advisories. All appliances running NetScaler ADC and NetScaler Gateway should be on a supported, patched release. If you are still on a version affected by CVE-2023-3519 or CVE-2023-4966, you must treat your environment as potentially compromised and initiate an incident response process — not just a patch.

2. Invalidate Active Sessions After Patching

For CVE-2023-4966 in particular, patching without terminating active sessions leaves stolen tokens valid and usable. After applying the patch, kill all active ICA and AAA sessions on the appliance. This is a documented remediation step in Citrix's advisory.

3. Monitor for Indicators of Compromise

Check for web shells, unexpected scheduled tasks, and anomalous outbound connections from your NetScaler appliance. Citrix has published specific indicators of compromise (IoCs) for both CVEs. If your organisation cannot conduct this review internally, engage a managed security provider with NetScaler expertise.

4. Apply Zero Trust Principles at the Perimeter

NetScaler's native security capabilities — including its web application firewall (WAF) and Citrix Secure Private Access — exist to enforce granular access controls. Many organisations deploy NetScaler as a simple VPN gateway and leave advanced security features unconfigured. Enabling WAF policies, restricting access by device posture, and integrating with an identity provider (such as Microsoft Entra) for conditional access significantly raises the cost of exploitation.

5. Automate Patch Management

Perimeter device patching cannot rely on manual processes. N-able RMM enables automated patch management and compliance reporting across your environment, ensuring that critical security updates are applied within your defined patching windows — without waiting for a quarterly maintenance cycle.