Thousands of Citrix Servers Vulnerable to Critical RCE Exploit - The Hunt for the Zero-Day Attackers

 

Thousands of Citrix Servers Vulnerable to Critical RCE Exploit - The Hunt for the Zero-Day Attackers

Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug previously abused in the wild as a zero-day.

They also noted that they are also undercounting because some revisions that are known to be vulnerable but do not have version hashes have not been flagged and added to the total number of exposed Citrix servers.

The vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), is a code injection that could result in unauthenticated remote code execution. The IT giant warns of the availability of exploits for this vulnerability that have been observed in attacks on unmitigated equipment. The company adds that successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

The CVE-2023-3519 RCE zero-day was most likely available online since the first week of July when threat actors started advertising the Citrix ADC zero-day flaw on hacker forums. BleepingComputer has also learned that Citrix was aware of the zero-day advertisement and was working on a patch before making an official disclosure.

CISA also ordered US federal agencies on Wednesday to secure Citrix servers on their networks from ongoing attacks by August 9, and warned that the bug has been used to break into the systems of US critical infrastructure organizations.

In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance," CISA said in a separate advisory published on Thursday.

0 Comments