Citrix released details on a new vulnerability on their ADC (Application Delivery Controller) yesterday (18 July 2023), CVE-2023-3519.  This is an unauthenticated RCE (remote code execution), which means an attacker can run arbitrary code on your ADC without authentication. 
This affects ADC hosts configured in any of the "gateway" roles (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), which commonly face the internet, or as an authentication virtual server (AAA server), which is usually visible only from internal or management subnets.

This issue is especially urgent because malicious activity targeting this is already being seen in the wild, this definitely makes this a "patch now" situation (or as soon as you can schedule it). If your ADC faces the internet and you wait until the weekend, chances are someone else will own your ADC by then!

This fix also resolves a reflected XSS (cross site scripting) issue CVE-2023-3466 and a privilege escallation issue CVE-2023-3467.

Full details can be found here: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

===============
Rob VandenBrink
rob@coherentsecurity.com