CVE-2024-6235: Critical Authentication Bypass in Citrix NetScaler Console

ISGroup Cybersecurity

In July 2024, Citrix disclosed a critical security vulnerability in its NetScaler Console software. This flaw, present in version 14.1 up to but not including 14.1-25.53, could allow a malicious user to gain unauthorized administrative access. Although initially described as a simple “information exposure,” it was found that the vulnerability allows attackers to completely bypass authentication, posing significant risks to organizations using the affected versions of the software.

ProductCitrix-NetScaler
Date2025-05-20 10:10:46
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2024-6235 is a critical vulnerability (CVSS v4 score: 9.4) in Citrix NetScaler Console 14.1, stemming from improper authentication (CWE-287). The flaw resides in an internal API endpoint (/internal/v2/config/mps_secret/ADM_SESSIONID) that improperly bypasses session validation checks. When specific HTTP headers are sent (Tenant-Name: Owner, User-Name: nsroot, Mps-Internal-Request: true), an attacker can obtain a valid administrative session ID without authentication.

This session ID can be reused in API requests to perform administrative actions, such as creating new super admin users. The vulnerability stems from trust in the internal mas_service process, which handles requests over HTTP/HTTPS on ports 80 and 443. Access to the internal API does not require authentication headers or session cookies, only a specially crafted request.

Researchers confirmed the impact by creating new administrative accounts using the session ID and observed that additional request tokens (rand_key) were required for state-changing operations, such as user creation. With further analysis, such tokens could potentially be bypassed or predicted.

Recommendations

  • Immediate Action: Update NetScaler Console to version 14.1-25.53 or later, where the vulnerability has been patched.

  • Network Segmentation: Ensure that management interfaces (such as NetScaler Console) are not exposed to the internet. Restrict access to trusted internal networks only.

  • Monitoring: Analyze logs to identify anomalous access patterns or unauthorized user creation, particularly toward the internal /mps_secret/ADM_SESSIONID endpoint.

[Callforaction-THREAT-Footer]