Sergiu Gatlan reports:
Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week.
The cybersecurity agency added the flaws to its Known Exploited Vulnerabilities Catalog today, saying that such vulnerabilities are “frequent attack vectors for malicious cyber actors” that pose “significant risks to the federal enterprise.”
Citrix urged customers on Tuesday to immediately patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow impacting the Netscaler management interface that could be exploited for remote code execution and denial-of-service attacks, respectively.
Those who can’t immediately install the security updates can block network traffic to affected instances and ensure they’re not accessible online as a temporary workaround.
Read more at Bleeping Computer.