The Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells, to warn organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.
This CSA details tactics, techniques, and procedures (TTPs) shared with CISA by the victim.
If activity is detected, CISA strongly urges all critical infrastructure organizations follow the recommendations found within this advisory, such as prioritizing patching known exploited vulnerabilities like Citrix CVE-2023-3519.
To report incidents and anomalous activity, please contact CISA, either through the agency’s Incident Reporting System or the 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released 10 Industrial Control Systems (ICS) advisories. These advisories provide timely information about current…
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released one Industrial Control Systems (ICS) advisory on October 14, 2025. These advisories provide…
Today, CISA issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal…
CISA released thirteen Industrial Control Systems (ICS) advisories on October 16, 2025. These advisories provide…
This website uses cookies.