Citrix has issued security updates to address a high-severity vulnerability affecting NetScaler Console (previously known as NetScaler ADM) and NetScaler Agent, which could potentially lead to privilege escalation under specific conditions.
The vulnerability, identified as CVE-2024-12284, has been assigned a CVSS v4 score of 8.8 out of 10.0.
This issue is attributed to improper privilege management, which could result in authenticated privilege escalation if the NetScaler Console Agent is deployed, allowing an attacker to execute post-compromise actions.
“The problem arises from inadequate privilege management, which could be exploited by an authenticated malicious actor to execute commands without additional authorization,” according to Netscaler noted.
“However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thus limiting the threat surface to only authenticated users.”
The vulnerability affects the following versions:
- NetScaler Console 14.1 before 14.1-38.53
- NetScaler Console 13.1 before 13.1-56.18
- NetScaler Agent 14.1 before 14.1-38.53
- NetScaler Agent 13.1 before 13.1-56.18
The issue has been resolved in the following versions of the software:
- NetScaler Console 14.1-38.53 and later releases
- NetScaler Console 13.1-56.18 and later releases of 13.1
- NetScaler Agent 14.1-38.53 and later releases
- NetScaler Agent 13.1-56.18 and later releases of 13.1
“Cloud Software Group strongly advises customers of NetScaler Console and NetScaler Agent to install the updated versions as soon as possible,” the company stated, adding that there are no workarounds to resolve the flaw.
However, customers using Citrix-managed NetScaler Console Service do not need to take any action.
