A critical vulnerability in Citrix NetScaler Console allows complete unauthenticated administrative access despite being initially classified as merely a “sensitive information disclosure” issue.
The proof-of-concept exploit code has been released, enabling attackers to create administrator accounts by exploiting an internal API vulnerability.
Citrix initially disclosed CVE-2024-6235 on July 10, 2024. It received a CVSSv4 score of 9.4, indicating critical severity.
.png
)
While originally described simply as “sensitive information disclosure in NetScaler Console,” security researcher chutton-r7 from Rapid7 has revealed that its impact is far more severe. It enables unauthenticated attackers to gain full administrative access to affected systems.
“The vulnerability allows an unauthenticated attacker to obtain an admin-level session ID from an internal API and use this to create other admin users on the system,” confirms Rapid7’s analysis.
This effectively transforms the issue from information disclosure to complete system compromise.
According to a Shodan search, approximately 318 NetScaler Console instances remain exposed to the internet, potentially vulnerable to exploitation.
Critical NetScaler Admin Takeover Vulnerability
The vulnerability exists in an internal API endpoint that improperly discloses administrative session tokens.
By sending a simple GET request to /internal/v2/config/mps_secret/ADM_SESSIONID with specific headers, attackers can obtain a valid session token without authentication.
The exploit requires three specific HTTP headers:
Once an attacker obtains the session ID, they need to retrieve an additional parameter called rand_key from the NetScaler admin panel HTML. With both pieces in place, attackers can create a new super administrator account with full system access.
The PoC script automates this entire process, retrieving the session ID from the internal API, acquiring the necessary rand_key, and creating a new administrative user.
| Risk Factors | Details |
| Affected Products | NetScaler Console 14.1 before 14.1-25.53 |
| Impact | Full administrative access via unauthenticated session hijack |
| Exploit Prerequisites | Attacker must have network access to NetScaler Console IP (no authentication required) |
| CVSS 3.1 Score | 9.4 (Critical) |
Affected Systems and Patch Released
The vulnerability affects all versions of NetScaler Console 14.1 before version 14.1-25.53.
Earlier branches (13.1.x and 12.1.x) were reportedly unaffected. Citrix released patches in July 2024, addressing this vulnerability along with other security issues in NetScaler products.
Security experts recommend immediate patching to version 14.1-25.53 or later and advise against exposing NetScaler Console instances to the public internet.
Organizations should implement robust patch management strategies and restrict access to management interfaces through network segmentation and privileged access workstations.
As of April 24, 2025, researchers continue to monitor for active exploitation in the wild, making this vulnerability a significant concern for organizations still running vulnerable NetScaler Console instances.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
