CVE-2023-6548

MEDIUM KEV

NetScaler ADC & NetScaler Gateway - Code Injection

Title source: llm

Exploitation Summary

CVE-2023-6548 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 17, 2024.

Description

Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

References (2)

Core 2

Core References

Vendor Advisory

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6548

Scores

CVSS v3 5.5

EPSS 0.0567

EPSS Percentile 90.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-01-17

VulnCheck KEV 2024-01-16

InTheWild.io 2024-01-16

ENISA EUVD EUVD-2023-58778

CWE

CWE-94

Status published

Products (3)

citrix/netscaler_application_delivery_controller 12.1 - 12.1-55.302 (2 CPE variants)

citrix/netscaler_application_delivery_controller 13.0 - 13.0-92.21

citrix/netscaler_gateway 13.0 - 13.0-92.21

Published Jan 17, 2024

KEV Added Jan 17, 2024

Tracked Since Feb 18, 2026