CVE-2023-3519

### Executive summary The report describes active exploitation of Citrix Gateway CVE-2023-3519 in which attackers upload TGZ archives containing web shells and setuid binaries to obtain unauthenticated RCE, escalate privileges, decrypt ADC-stored configuration keys to extract Active Directory credentials, perform network discovery, compress and encrypt harvested data for exfiltration, and evade detection by hiding artifacts and disguising exfiltrated files as images.