26 February 2024

Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519

On July 18, Citrix issued a security advisory revealing multiple vulnerabilities impacting Netscaler ADC and Gateway. Among these vulnerabilities, the most critical one identified as CVE-2023-3519 allowed an attacker without authentication to execute arbitrary code on the affected appliances. According to Citrix, this vulnerability is currently being exploited by malicious actors, although no proof-of-concept (POC) or public exploit has been discovered yet.

The Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory on July 20, indicating that the vulnerability had been exploited as a zero-day back in June. During that time, malicious actors utilized the vulnerability to drop webshells as a means of gaining initial access before further penetrating the network. It's worth noting that a similar flaw, known as CVE-2019-19781 or "Shitrix," had been identified in these applications at the end of 2019 and was promptly exploited by ransomware groups, including the now-defunct REvil gang.

The profile of this recent vulnerability is quite similar to the one discovered in MOVEit in May 2023, which resulted in over 380 publicly disclosed successful attacks across various sectors.

As per the latest Shadowserver scans, there are at least 15,000 exposed and vulnerable systems worldwide that could be affected by this flaw. However, Onyphe detected an even higher number, with more than 16,000 systems potentially at risk, suggesting the widespread exposure of this vulnerability.

Given the severity of the vulnerability and its potential for exploitation, it is crucial for affected organizations to apply the necessary security patches and measures as soon as they become available to prevent unauthorized access and potential attacks.