A critical vulnerability in Citrix networking products continues to be exploited by several threat groups, with thousands of instances remaining unpatched even weeks after a fix was released. According to researchers, around 7,000 NetScaler ADC and NetScaler Gateway instances are still exposed on the web, and approximately 460 of them have web shells installed due to compromise.
Citrix, the cloud computing company, published a patch on July 18 addressing the CVE-2023-3519 vulnerability. This vulnerability, which was rated as “Critical” with a CVSS score of 9.8, allows for unauthenticated remote code execution in Citrix’s NetScaler application delivery controller and gateway products. Despite the release of the patch, researchers have demonstrated how the vulnerability can be exploited, and attackers have taken advantage of the flaw by installing web shells and carrying out numerous exploits.
The Shadowserver Foundation, an organization that tracks and reports on internet security threats, has found that thousands of exposed NetScaler instances remain unpatched. This leaves many organizations vulnerable to attackers who can install web shells and execute commands on their internal networks at will. Piotr Kijewski, the CEO at Shadowserver, expressed concern about the potential consequences of these vulnerabilities, especially for prominent organizations such as hospitals. He warned that attackers could target these organizations with ransomware in the future if they remain vulnerable.
Shadowserver’s data shows that there were nearly 18,000 exposed, unpatched instances of NetScaler ADC and Gateway IPs at their peak. While this number has been declining, almost 7,000 instances are still unpatched today, with a significant number located in North America and Europe. Researchers have observed cases where hackers actively compromised these exposed network devices. Just 10 days after the vulnerability was disclosed, nearly 700 web shells were found installed on NetScaler IPs, indicating instances of compromises related to CVE-2023-3519. Although this number has decreased since then, it has only fallen by 33%.
Initially, the compromises were primarily concentrated in the EU region, with Germany, Switzerland, Italy, and France being the main targets. However, the overwhelming majority of exposed IPs as of Monday are located in the United States, followed by Germany and the United Kingdom. Shadowserver also reported an increase in the number of active exploitation attempts, with a dozen cases recorded on a single day.
Kijewski predicts that there will be more compromises related to this vulnerability and similar ones in the future. He highlights the shift in recent years where threat actors, including state-sponsored groups and criminal organizations, focus on exploiting targeted vulnerabilities, specifically those affecting code used in large organizations. Therefore, it is crucial for organizations to take action to protect their systems.
Apart from applying the patch, Shadowserver advises Citrix customers to engage their incident response teams and, if compromised, either set up a new system from scratch or reboot from a safe backup or snapshot. They emphasize that today’s web shells could become tomorrow’s cyberattacks, and it is essential to fix the vulnerability before attackers take advantage of it.
In conclusion, the exploitation of the critical vulnerability in Citrix networking products persists, with thousands of instances remaining unpatched. Organizations need to take immediate action to address this vulnerability and protect their systems against potential cyberattacks.