A critical vulnerability in Citrix ShareFile that was first disclosed in June has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, known as CVE-2023-24489, affects the customer-managed ShareFile storage zones controller. It has received a critical CVSS score of 9.8 and can allow an unauthenticated attacker to remotely compromise the cloud-based managed file transfer (MFT) product. Citrix, the company behind ShareFile, addressed the flaw in a bulletin and advised users to upgrade to the fixed version.
Recently, there has been an increase in active exploitation of CVE-2023-24489. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, indicating that the government agency has observed adversary activity. As a result, enterprises are urged to prioritize remediation to protect their systems. Furthermore, cybersecurity vendor GreyNoise has reported a spike in attacker activity following the addition of the vulnerability to the catalog.
According to GreyNoise, they observed 72 IP addresses attempting to exploit the ShareFile vulnerability on August 15, the day before it was added to the catalog. The cybersecurity vendor noted that it appears attackers are leveraging compromised infrastructure in both South Korea and the United States to carry out these attacks. While ShareFile utilizes AES encryption with cipher block chaining mode and PKCS 7 padding, GreyNoise explained that the vulnerability stems from a design flaw in which the application fails to correctly validate decrypted data. They, along with CISA, have strongly advised users to apply the latest patch to mitigate the risk.
In addition to the active exploitation, GreyNoise also highlighted the publication of proof of concept (PoC) exploits for CVE-2023-24489 on GitHub. This increases the likelihood that attackers will leverage the vulnerability in future attacks. However, it is worth noting that the PoC exploits were first released by researchers at cybersecurity vendor Assetnote in July. The PoC was accompanied by a blog post urging developers to exercise caution when working with cryptographic code due to the potential for subtle mistakes.
ShareFile is not the only managed file transfer (MFT) product that has been targeted recently. The Clop ransomware gang has been conducting an ongoing campaign against Progress Software MoveIT Transfer customers since May, starting with a zero-day attack. The fallout from these attacks has been significant, with victims still emerging three months later. Additionally, the Clop operators exploited another zero-day flaw in Fortra’s GoAnywhere MFT product, which affected prominent victims such as Rubrik, Hitachi Energy, and various healthcare organizations.
The increasing exploitation of the Citrix ShareFile vulnerability underscores the importance of prompt patching and strengthening cybersecurity measures. As threat actors continue to discover and exploit vulnerabilities, organizations must remain vigilant and take proactive steps to ensure the security of their systems and sensitive data.