Citrix ADC / NetScaler Gateway < 13.1-49.13 — RCE

Unauthenticated remote code execution on Citrix ADC and Gateway devices. Apply vendor patch immediately — exploited as a zero-day and subsequently mass-exploited by LockBit, Medusa, and other ransomware groups targeting government and healthcare.

Published Jul 18, 2023 · Updated May 15, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated attacker can execute arbitrary code on the Citrix appliance, access session tokens for currently authenticated users, and pivot into the internal network. Attackers used this to harvest session tokens (hence the "Citrix Bleed" name) enabling them to impersonate users without credentials.

How the attack worksNo clicks needed

Citrix ADC and Gateway have a stack-based buffer overflow in the HTTP/S handling of the management interface or VPN virtual server when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●VDI/Citrix Administrators

●IT Security

●Running NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 12.1 before 12.1-65.21

Fixed inNetScaler ADC 13.1-49.13 / 13.0-91.13

Real-world incidentsWhat we've seen

CVE-2023-3519 was disclosed on July 18, 2023. By late 2023, over 10,000 organisations had been compromised. Boeing, Toyota Financial Services, and multiple US government agencies were confirmed victims. LockBit ransomware operators automated exploitation to rapidly move from initial access to ransomware deployment. CISA issued multiple advisories and ran a voluntary scanning campaign.

How to patch

Manual remediation steps

⏱ 45 minutes including appliance restart

Check Current Version

From the Citrix ADC CLI:

sh version

Check for Active Sessions / Compromise Indicators

# List current ICA/VPN sessions
sh ica session
sh vpn session

# Check for unexpected admin accounts
sh system user

# Check for recently modified files
find /netscaler -newer /var/nslog/ns.log -type f 2>/dev/null | head -20

Apply the Patch

Download the updated build from https://www.citrix.com/downloads/citrix-adc/

Upload via the web console: Configuration > System > Upgrade

Or via CLI:

install build <filename.tgz> -Y

Reboot the appliance

Post-Patch: Terminate All Active Sessions

# Kill all active ICA sessions (important — session tokens may be compromised)
kill ica session -all
kill vpn session -all

Verify

sh version
# Must show 13.1-49.13 or later

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-3519 ↗ NVD