CISA, experts warn of Citrix vulnerabilities being exploited by hackers

Alarms have been raised about several vulnerabilities affecting products from Citrix that are being exploited widely by a variety of threat actors.

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency said a vulnerability affecting the Citrix Content Collaboration tool had been exploited and mandated that U.S. federal civilian agencies patch the issue by September 6.

Citrix released a warning about the bug — tracked as CVE-2023-24489 — on June 13, telling users that the issue affects the “customer-managed ShareFile storage zones controller.” ShareFile is a cloud-based file sharing and collaboration application for businesses that allows users to store files in their own data center.

If exploited, the vulnerability would allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.

Citrix said the issue has a CVSS score of 9.1 out of 10 and urged customers to patch it as soon as possible. The company credited the vulnerability’s discovery to researchers at AssetNote, which published a proof-of-concept on July 4.

Security firm GreyNoise reported that it has observed hackers attempting to exploit the issue and said on Wednesday that after CISA’s notice they saw a steep spike in attacker activity around the bug.

“A search online shows roughly 1000-6000 instances are internet accessible. This popularity, combined with the software being used to store sensitive data, meant if we found anything it could have quite an impact,” AssetNote security researcher Dylan Pindur wrote.

“Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability.”

In a statement to Recorded Future News, ShareFile Senior Vice President David Le Strat said a fix for the vulnerability was released on May 11 and the company worked with customers to patch the issue. By June 13, at least 83% of customers had patched their instances, he said, noting that ShareFile also blocked all unpatched hosts from connecting to the software's cloud control plane — making them unusable with ShareFile.

While he acknowledged that there was a spike in attacks following the CISA notice, this “died down immediately given that the issue has been addressed.”

“When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data,” he said.

“Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched. The incident affected less than 3% of our install base (2800 customers) There is no known data theft from this incident.”

Citrix Netscalers backdoored

Security companies have also raised alarms about CVE-2023-3519, a vulnerability affecting Citrix’s networking product NetScalers.

Researchers from cybersecurity firm Fox-IT said this week that they worked with the Dutch Institute of Vulnerability Disclosure to uncover a “large-scale exploitation campaign” involving the vulnerability.

“An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted,” they said in a blog post on Tuesday.

“At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.”

The vulnerability was disclosed on July 18 alongside two other issues, and Fox-IT found more than 31,000 NetScalers vulnerable to the vulnerability. As of August 14, 1,828 NetScalers remain backdoored, the researchers said, noting that 1,248 are patched for the bug.

The researchers warned that even patched instances of NetScaler can still contain a backdoor, and they urged potential victims to examine their systems regardless of when the patch was applied.

“Most apparent from our scanning results is the percentage of patched NetScalers that still contain a backdoor. At the time of writing, approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519,” Fox-IT said.

“This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation.”

The number of compromised, yet patched, instances indicates that the exploitation occurred before most administrators applied the patch. Fox-IT researchers said it is likely this specific exploitation campaign took place between late on July 20 and early on July 21.

Most victims observed by Fox-IT were in Germany, France, Switzerland and Japan — a curious targeting pattern considering Canada, Russia and the U.S. all had thousands of vulnerable NetScalers that day yet saw virtually no exploitation.

“As of now, we have no clear explanation for these differences, nor do we have a confident hypothesis to explain which NetScalers were targeted by the adversary and which ones were not. Moreover, we do not see a particular targeting in terms of victim industry,” they said.

“The monitoring and protection of edge devices such as NetScalers remains challenging. Sometimes, the window in which defenders must patch their systems is incredibly small. CVE-2023-3519 was exploited in targeted attacks before a patch was available and was later exploited on a large scale.”

Concern about the issue has grown so much that Google cybersecurity firm Mandiant worked with Citrix to create an Indicators of Compromise Scanner for the vulnerability.

Mandiant said they have observed “a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs [Application Delivery Controllers]” exploiting the vulnerability.

Editor's note: Updated August 18 at 3 p.m. with more information from ShareFile.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.