loading
loading
Vulnerabilities
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
overview
cve-2023-3519-inspector fingerprints Netscaler and Citrix ADC or Gateway appliances and reports whether the running build is exposed to CVE-2023-3519, the unauthenticated remote code execution flaw that saw mass exploitation in mid-2023. It reads the version instead of firing the exploit, so a team can confirm exposure across an estate without risking the appliances it inspects.
The version read is the point. The inspector requests /vpn/pluginlist.xml and cross-checks the page title, HTML frame-busting comments, and known vhashes to confirm the host is a Citrix Gateway, then maps the reported build number to a vulnerable or patched range. Because Citrix gateways sit at the network edge, a confident version read separates the appliances that need an emergency patch from the ones already fixed.
The inspector runs against a single URL or a file of URLs, so a fleet-wide sweep is one workflow run. On Trickest, wire it after a prober that has already surfaced Citrix endpoints, then route the confirmed-vulnerable hosts to triage or alerting.
use cases
Fingerprint a Citrix Gateway and report whether its build is vulnerable to the unauthenticated RCE, without launching the exploit against a production appliance.
Pass a file of Citrix URLs to check every gateway in one run and produce a single list of which builds are exposed.
Re-run the inspector after patching to verify appliances now report a fixed build, closing the loop on remediation.
Route confirmed-vulnerable gateways to immediate triage, since they sit at the network edge and the flaw needs no authentication.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | The URL of the Citrix Gateway to check. |
| file | FILE | --file | A file containing a list of URLs to check. |
Showing key inputs. cve-2023-3519-inspector exposes 2 inputs in total.
example
# check a single Citrix Gatewaycve-2023-3519-inspector --url https://vpn.example.com # sweep a fleet of gateways from a list of URLscve-2023-3519-inspector --file citrix-hosts.txt[*] Checking https://vpn.example.com[+] Confirmed Citrix Gateway (title match, pluginlist.xml present)[+] Detected Netscaler version: 13.1-48.47[!] https://vpn.example.com is VULNERABLE to CVE-2023-3519[*] Checking https://198.51.100.23[+] Detected Netscaler version: 13.1-49.15[-] https://198.51.100.23 is NOT vulnerable (patched build)[*] Checking https://203.0.113.9[-] https://203.0.113.9 does not appear to be a Citrix Gatewayguidance
Use this inspector when you have Citrix Netscaler or ADC endpoints and need to know which builds are exposed to CVE-2023-3519. It is a single-CVE detector, so identify Citrix hosts first with a prober, and run nuclei alongside it for broader appliance coverage.
Template-driven scanner with Citrix templates among many checks. Broader, less version-precise.
Probes and fingerprints hosts to identify Citrix endpoints before this inspector runs.
Service fingerprinting that helps surface the Citrix endpoints worth inspecting.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Hosts are probed by httpx to find Citrix endpoints, then the inspector fingerprints each for CVE-2023-3519 and writes the vulnerable appliances as output.
Facts on this page come from the live Trickest tool library.