Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2024-6235

Disclosure Date: July 10, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Sensitive information disclosure in NetScaler Console

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

CVE-2024-6235 is a critical information disclosure vulnerability in Citrix NetScaler Console. The vulnerability, which was patched in July of 2024, affects Citrix NetScaler Console 14.1 (also known as Citrix NetScaler ADM 14.1) before 14.1-25.53. A brief investigation of the vulnerability indicated that exploitability is lower than one might expect for a critical vulnerability in a Citrix product. It appears that exploitation requires an adjacent network position on the LAN, since the management web service for NetScaler Console/ADM does not appear to be affected. This indicates that CVE-2024-6235 is most likely to be exploited for lateral movement, likely via an agent communication service port or outbound LAN-focused discovery. Furthermore, no public PoC is available, as of December 5, 2024, and the vulnerability does not appear to be trivial to exploit; the vulnerability has not been reported as EITW. For these reasons, attacker value and exploitability have been deemed ‘Moderate’.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • NetScaler

Products

  • NetScaler Console

Additional Info

Technical Analysis