Two vulnerabilities were disclosed by Citrix, which were CVE-2023-4966 and CVE-2023-4967, with critical and high severities, respectively. Of these two, CVE-2023-4966 has been released with a publicly available PoC. This vulnerability is associated with a sensitive information disclosure score of 9.4 (Critical).
This vulnerability existed in the Citrix Netscaler ADC and Netscaler Gateway versions before their latest release. However, Citrix has fixed this vulnerability, and patches have been issued.
For diving deep, the vulnerable devices were looked upon inside the /netscaler/nsppe, the Netscaler packet processing engine containing the complete TCP/IP network stack and multiple HTTP services.
Additionally, the Ghidra tool was used to decompile the nsppe, and BinExport to create a BinDiff file. Comparing the compiled BinDiff file of two vulnerable devices, there were more than 50 different functions.
Two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were found to perform the same function to implement the OpenID Connect Discovery endpoint. Both of these functions are accessible without authentication.
The vulnerability existed on the return value of snprintf, which determines the number of bytes to send for the ns_vpn_send_response. As part of exploitation, snprintf is supplied with an exceeded buffer size of 0x20000 bytes.
Furthermore, a complete Proof of Concept report has been published by AssetNote, providing detailed information on the exploitation methods, detailed steps, and others.
| CVE ID | Affected Products | Fixed in Version |
| CVE-2023-4966 | NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 | NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases |
| NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 | NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 | |
| NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 | NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 | |
| NetScaler ADC 13.1-FIPS before 13.1-37.164 | NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS | |
| NetScaler ADC 12.1-FIPS before 12.1-55.300 | NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS | |
| NetScaler ADC 12.1-NDcPP before 12.1-55.300 | NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP |
Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…
.webp?w=1600&resize=1600,900&ssl=1)
