Vulnerability Description

Citrix has indicated that an unauthenticated attacker can exploit this flaw to perform arbitrary code execution. Although details from Citrix are minimal, VERT’s research has identified three vulnerable behaviors which combine to enable code execution attacks on the NetScaler/ADC appliance. These flaws ultimately allow the attacker to bypass an authorization constraint to create a file with user-controlled content which can then be processed through a server-side scripting language. Other paths towards code execution may also exist.

Exposure and Impact

All supported product versions of Citrix ADC (formerly NetScaler) and Citrix Gateway are impacted. An attacker can exploit this with access to the web interface for either the ADC/NS IP or the virtual IP used for VPN portals regardless of which features are licensed or configured. A successful exploitation allows the attacker to take complete control of the affected system. Once an attacker has control over the system, they can access private network resources and can further compromise the network by hijacking authenticated user-sessions or stealing user-credentials.

Remediation & Mitigation

Citrix has recommended that users apply a specific responder policy to filter exploitation attempts. System administrators are strongly encouraged to apply this mitigation while awaiting a proper fix for the vulnerability.


Tripwire IP360 starting with ASPL-865 contains remote heuristic detection of the vulnerable service.

External attempts to exploit this flaw will likely include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. This was indicated in the mitigation steps suggested by Citrix. Network defenders should also be on the lookout for requests with custom headers containing traversal patterns (e.g. ‘/../’). Network defenders can look for these patterns to identify exploitation attempts.