Threat Bulletin – Citrix NetScaler CVE-2023-3519


A Lightning Hunt has been conducted by our Threat Hunters and tickets have been opened as required with Citrix NetScaler

Threat Info
Name of threatVulnerability: CVE-2023-3519
Severity9.8 CRITICAL
TypeUnauthenticated remote code execution
Discoveredmid-July 2023
Target IndustriesCritical infrastructure organizations are a main target


On July 18, Citrix released security bulletin CTX561482, which described vulnerabilities in Citrix Netscaler Application Delivery Controller (ADC) and Citrix Netscaler Gateway. One of the vulnerabilities, CVE-2023-3519, could allow an unauthenticated remote attacker to perform arbitrary code execution. This vulnerability was assigned a CVSS of 9.8. Citrix has stated that they have observed exploitation of this vulnerability in the wild.

Affected versions of NetScaler ADC and NetScaler Gateway:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Tiance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.

Initial AccessExploit Public – Facing
T1190Adversaries may attempt to exploit a weakness in an Internet – facing host or system to initially access a network.
ExfiltrationArchive Collected DataT1560An adversary may compress and / or encrypt data that is collected prior to exfiltration

Technical Details 

MITRE Framework

ExecutionServer SoftwareComponentT1505Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Privilege EscalationHijack Execution FlowT1574Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
DiscoveryPermission Groups Discovery
Domain Groups
T1069.002Adversaries may attempt to find domain-level groups and permission settings
DiscoveryRemote System Discovery 
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
DiscoveryDomain Trust Discovery 
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.
DiscoverySystem Network Configuration 
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
DiscoverySystem Network
T1016.001Adversaries may check for Internet connectivity on compromised systems.
DiscoveryNetwork Service Discovery 
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
DiscoveryAccount Discovery
Domain Account
T1087.002Adversaries may attempt to get a listing of domain accounts.
Defense Evasion
File Type
T1036.008Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents.
Privilege EscalationAbuse Elevation
Control Mechanism
Setuid and Setgid
T1548.001Adversaries may circumvent mechanisms designed to control elevate privileges to gain higherlevel permissions.
Credential AccessUnsecured Credentials
Credentials In Files
T1552.001Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Credential AccessUnsecured Credentials
Private Keys
T1552.004Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Server Software
Web Shell
T1505.003Adversaries may backdoor web servers with web shells to establish persistent access to systems.
and Control
Encrypted ChannelT1573Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
and Control
Internal Proxy
T1090.001Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
and Control
Ingress Tool Transfer 
Adversaries may transfer tools or other files from an external system into a compromised environment.
Scheduled Task/Job 
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code
CollectionArchive Collected Data
Archive via
T1560.001Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.
CollectionData from Local System
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
CollectionData Staged 
Adversaries may stage collected data in a central location or directory prior to Exfiltration.

Initial Access to NetScaler

The threat actors exploit CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

          Mitre: T1190 – Exploit Public Facing Application


The threat actors implant a generic webshell on the organization’s NetScaler ADC appliance.

          Mitre: T1505.003 – Server Software Component: Web Shell

Privilege Escalation

As part of their initial exploit chain upload a TGZ file containing a setuid binary on the ADC appliance.

         Mitre: T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid

Defense Evasion

The threat actors exfiltrate data by uploading it as an image file to a web-accessible path.

          Mitre: T1036.008 – Masquerading: Masquerade File Type

Credential Access

The threat actors obtain encrypted passwords from NetScaler ADC configuration files, and the decryption key is stored on the ADC appliance.

         Mitre: T1552.001 – Unsecured Credentials: Credentials In Files

The threat actors obtain decryption keys to decrypt the AD credential obtained from the NetScaler ADC configuration files.

          Mitre: T1552.004 – Unsecured Credentials: Private Keys


The threat actors query the AD for trusts.

          Mitre: T1482 – Domain Trust Discovery

The threat actors query the AD for groups

          Mitre: T1069.002 – Permission Groups Discovery: Domain Groups

The threat actors query the AD for computers. The threat actors attempted to execute a subnet-wide curl command, in order to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevent this activity.  Mitre: T1018 – Remote System Discovery

The actors use a webshell for AD enumeration.

          Mitre: T1016 – System Network Configuration Discovery

The threat actors attempt to verify outbound network connectivity with a ping command and execute host commands for a subnet-wide DNS lookup. Network segmentation controls prevent this activity.

Example: ping -c 1 google[.]com

          Mitre: T1016.001 – System Network Configuration Discovery: Internet Connection Discovery

The threat actors conduct SMB scanning on the organization’s subnet.

          Mitre: T1046 – Network Service Discovery

The threat actors query the AD for users.

          Mitre: T1087.002 – Account Discovery: Domain Account


The threat actors encrypt discovery data collected via openssl in “tar ball.”

Example: tar -czvf – /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz.

          Mitre: T1560.001 – Archive Collected Data: Archive via Utility

The threat actors view NetScaler ADC configuration files flash/nsconfig/keys/updated/* and /nsconfig/ns.conf.

          Mitre: T1005 – Data from Local System

The threat actors upload data as an image file to a web accessible path: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.  Mitre: T1074 – Data Staged

Command & Control

The threat actors exploit CVE-2023-3519 to upload a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance

         Mitre: T1105 – Ingress Tool Transfer

The actors likely use a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).

Mitre: T1090.001 – Proxy: internal proxy

Detection techniques with NetScaler


Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

1.Check for files newer than the last installation.
2.Modify the -newermt parameter with the date that corresponds to your last installation:
  • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
  • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
  • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;- find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
3.Check http error logs for abnormalities that may be from initial exploit:
  • zgrep ‘.sh’ /var/log/httperror.log*
  • zgrep ‘.php’ /var/log/httperror.log*
4.Check shell logs for unusual post-ex commands, for example: – grep ‘/flash/nsconfig/keys’ /var/log/sh.log*
5.Look for setuid binaries dropped: 
  • find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \;
6.Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
7.Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
8.Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
9.Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
10.Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
11.Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
12.If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
13.Review NetScaler ADC internal logs (sh.log, bash.log) for traces of potential malicious activity (some example keywords for grep are provided below): 
  • database.php
  • nsgui/vpn – /flash/nsconfig/keys/updated – LDAPTLSREQCERT
  • ldapsearch
  • openssl + salt
14.Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

How to Hunt for Authentication Attempts on NetScaler


It recommends organizations use available logs and Endpoint Detection & Response (EDR) telemetry to hunt for authentication attempts sourced from Netscaler management addresses (NSIPs) to all endpoints in the environment. Mandiant observed authentication attempts by the threat actor sourced from NSIPs of impacted Netscalers both via Remote Desktop Protocol (RDP) logons and network logons to endpoints within the victim’s environment. Additional information recorded in these events may capture both hostnames and IP addresses belonging to attacker infrastructure to further pivot and hunt for in the environment. It is unexpected and suspicious to observe traffic to the internal network and miscellaneous (non-Citrix) Internet IP addresses from the NSIP of an appliance. Rotate credentials for any impacted/targeted accounts identified in these attempts.

Review relevant firewall logs for any network based indicators identified. Additionally, Mandiant observed the string pwd;pwd;pwd;pwd;pwd; used within the exploit POST requests which can aid hunting. Also, prior to upload of the initial web shell, Mandiant identified requests by a Headless Chrome User Agent (executed via CLI) included as follows:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/112.0.5615.121 Safari/537.36  

Furthermore, Mandiant recommends review of HTTP error logs for potential crashes, which can be indicative of vulnerability exploitation.

Mandiant observed LDAP queries sourced from NSIPs of impacted Netscalers in an attempt to identify accounts vulnerable to Kerberoasting. A sample query can be seen as follows:


Mandiant recommends review of the following directories and subdirectories for the presence of web shells:





In order to identify malicious ELF binaries, Mandiant recommends a review of the /tmp/ directory. Similarly, review of files with timestamps after the Netscaler was last patched is especially important.

In review of NSPPE core (Netscaler Packet Processing Engine) dumps, Mandiant identified commands executed by the threat actor to redirect the contents of ns.conf, F1.key, and F2.key to a renamed JavaScript file for exfiltration. Mandiant recommends reviewing relevant NSPPE core dumps in the /core/ directory in order to identify similar activity. Rotation of the keys is recommended if similar activity is observed in NSPPE core dumps.

Finally, Mandiant recommends a review of /var/crontabs/nobody for scheduled execution of suspicious binaries. Mandiant identified a crontab for the aforementioned ELF tunneler, the.

Mitigating the CVE-2023-3519 NetScaler ADC and Gateway Vulnerabilities

 Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE 2023-3466, CVE-2023-3467 for patch information.

   Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services.

Best Practices for Securing NetScaler

Given the scope and sophistication of this threat actor, Mandiant recommends that organizations rebuild any appliances that have been exploited. The ADC upgrade process overwrites some, but not all, of the directories where threat actors may create web shells, potentially leaving the appliance in a compromised state.

Organizations should evaluate whether their ADC or Gateway appliance management ports require unrestricted Internet access. Limiting the Internet access to only necessary IP addresses (such as Citrix related addresses) would make post-exploitation activities of this and any future vulnerabilities more difficult.

Recommendations for Mitigating the Threat

Mandiant has observed the threat actor copying the ADC ns.conf file as well as keys stored on the file system that are used to encrypt secrets within the configuration file. Public tooling exists to decrypt the ns.conf secrets although Mandiant has not validated it works for the most recent appliance versions. Given these TTPs, Mandiant recommends that impacted organizations rotate all secrets stored in the configuration file as well as any private keys and certificates that may be used for TLS connections.

Mandiant recommends hardening susceptible accounts in the domain to reduce the likelihood of credential exposure via Kerberoasting and to limit a potential threat actor’s ability to obtain credentials for lateral movement throughout the environment.


If compromise is detected, organizations should: 

1.Quarantine or take offline potentially affected hosts. 

2.Reimage compromised hosts. 

3.Provision new account credentials. 

4.Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. 

5.Report the compromise to CISA via CISA’s 24/7 Operations Center ( or 888- 282-0870).


Our Partners

Penetration Testing Whitepaper

Threat Intelligence

Subscribe to receive insider threat intelligence from Difenda’s front line security analysts in our 24/7/365 SOC.

Ken Perkins

Biography coming soon.

Megan Miller

Megan Miller’s energy and passion for learning flow into all aspects of her work. As the Growth Manager, North America, she brings a background in sciences which she has transitioned to the tech sector in her role at Difenda.

With a Bachelors of Science in Geology, Megan is a lifelong learner who is voracious about learning anything she can get her hands on about cybersecurity. Her positive energy has built a sales strategy with a focus on expanding in the United States while nurturing the Canadian presence. She is responsible for recruiting and training the sales team. Together with the company’s leadership, she creates the sales process and the company’s product strategy in order to better serve the customer base. This ensures that our customers have a highly trained and highly motivated team to help them every step of the way, Megan has completed Microsoft SC-900 training and working towards mastering Microsoft.

Whether at work or play, Megan is fully committed. She took her love of hockey all the way to the semi-professional level as a competitive hockey player. Megan loves all things sports including water skiing, scuba diving, cycling, and snowboarding. She also enjoys time with family and reading about alternative energy, innovation, and cybersecurity.

Natasha Phanor

As the Microsoft Partner Manager at Difenda, Natasha Phanor is responsible for driving growth within our Microsoft Partnership. With six years in the industry, she offers a fresh, energetic approach, and the ability to focus on our customer’s needs throughout the entire process. Natasha has the innate ability to foresee customer needs and solve problems before they arise, which creates a smooth road for each customer she encounters.

As the recipient of the Outstanding Services Partner of the Year Award in 2018, it is clear that Natasha responds quickly to customer needs, creates a platform for understanding a customer’s business requirements, and walks them through the process to ensure their complete satisfaction.

In her spare time, Natasha is as energetic and passionate as she is on the job. A self-proclaimed foodie-extraordinaire, she enjoys dinner parties, traveling, downhill skiing, hiking, biking, and reading. Natasha has a Bachelor of Fine Arts, specializing in Dance, from Ryerson University.

Lisa Templeton

Lisa Templeton is the perfect combination of human empathy and technological prowess. In her role as People Services Manager, she takes care of our team members to support them in their daily work, as well as on their personal life paths. Happy employees make for happy customers, and Lisa excels in giving our employees the tools they need for success in order to become the best possible versions of themselves. Along with employee formation, she shines in the service delivery support domain to continuously improve the process. Her 24 years of experience in IT Operations and Service Management help her create quality and efficiency at Difenda.

Having attended the Information Systems Management certificate program at Ryerson University, and with various other certifications to her credit, Lisa is perceptive and innovative when it comes to information technology, but also sensitive to the needs of her human constituents. Responsible for achieving the first privately owned company HDI Support Center certification in Canada, she has also designed and implemented Service Management excellence programs and 24×7 IT Operations departments for multiple IT organizations, and has created corporate rewards and recognition programs to keep her employees engaged and motivated.

On the personal side, Lisa passionately supports the cause of breast cancer research, having lost her mother to the disease. She reads voraciously in her spare time, and enjoys the art of home renovation. The summer months also bring time on her boat and exploring new hiking trails.

Miranda McCurdy

Miranda McCurdy uses her myriad super powers in all aspects of her job and personal life. As the Marketing Director at Difenda, Miranda McCurdy brings over a decade of experience to the table, which includes expertise in all facets of operations, brand management, and content marketing, as well as a multitude of successful strategies for the ever-expanding digital world. She is an expert at simplifying the message the company is trying to send, filling in gaps in the information, and strengthening the content in order to create compelling narratives that strengthen the brand and developing programs that bring teams together.

With several Addy Awards issued by the American Advertising Federation Cleveland to her credit, and her never say die attitude, Miranda understands both the broader picture and the minute details that are needed to successfully market a product. With her abilities to harness both the talent needed to spread the message, as well as to create the message itself, she is an integral cog in the company’s ability to communicate with customers and other stakeholders.

When she is not building a brand, she shares her ability to fill the gaps in her community by volunteering with Habitat for Humanity, the Special Olympics, and the Charleston Food Bank. In her spare time, Miranda spends time with her family, enjoys fitness and health, paddle boarding, reading, and arts and crafts.

Juliana Zaremba

Connections are the name of the game for Juliana Zaremba. As Strategic Partnerships Director, she is responsible for Difenda’s channel partnerships and the development and ownership of the channel partner program. She is also responsible for the global Microsoft Partnership, including the creation of strategic plans with MSFT contacts that will facilitate the continued growth of the business and establish certification and training protocols in all security technologies. Her role is multifaceted, as she acquires partners, manages relationships with them, and develops strategies that will provide cutting edge security solutions to our customer base. Another integral aspect of her job is to facilitate growth.

With a Bachelor’s in Math from the University of Waterloo and 14 years of experience from her previous roles at Herjavec Group and CDW, her cutting edge focus and ability to develop long-lasting relationships and strategies provides world class security solutions to our customer base.

Juliana thrives on connections outside of work as well. She is a philanthropist and contributor with Women4Change based in Hamilton. This group of local women is passionate about supporting local causes, and she focuses her efforts around Women in STEM. She is also a member of Club Italia in Niagara Falls and supports their youth events throughout the year.

When not managing the Microsoft Global partnership, Juliana enjoys reading, often reading several books at once. Juliana enjoys exploring the Niagara Escarpment with her family, as well as sharing meals and experiences with her extended family. Juliana’s competitive nature has her always trying new things, like Whoop band challenges and Peloton.

Jeffry Jacob

Biography Coming Soon