Citrix ADC (formerly known as NetScaler ADC) family of gateways use NetScaler Packet Processing Engine (NSPPE) to deliver incoming HTTPS requests to concerned services (like HTTP server) running in a network. Services running on Citrix ADC/ NetScaler configuration have vulnerable Perl script handlers that can be exploited using Perl Template Toolkit to obtain RCE. This Template Toolkit is a subsystem for Perl. It is quite similar to other templating libraries in other languages. This allows for inline code to be embedded in documents to make runtime-generated content easier to manage.
NetScaler Packet Processing Engine (NSPPE) contains a bug in the process of parsing file paths in the requests, enabling the attacker to access any file the target service has rights to access to. It further grants access to the vulnerable Perl script handler. This then allows the attacker to craft malicious requests to trigger RCE.
The complete exploit chain requires two HTTPS requests to achieve command execution. The first request establishes the crafted template, and the second invokes the command when the template is processed.[/vc_wp_text][vc_wp_text]
Installing the patch released by the vendor addresses the flaw: