First Exploitation of Citrix ShareFile RCE Vulnerability Detected

July 28, 2023

The exploitation of a recent critical vulnerability in Citrix ShareFile, a popular cloud-based file-sharing and collaboration solution, has begun. This was observed by the threat intelligence company Greynoise.

ShareFile allows users to store files in their own data centers, via a storage zones controller, a .NET web application running under Internet Information Services (IIS). The vulnerability, identified as CVE-2023-24489 with a CVSS score of 9.1, was due to errors that enable unauthenticated file upload, which could then be exploited to achieve remote code execution (RCE). This was reported by attack surface management firm Assetnote, which discovered and reported the bug.

According to Assetnote, there are between 1,000 and 6,000 internet-accessible ShareFile instances, making it a potential target for attackers, as it may contain sensitive data. “Although the [vulnerable] endpoint is not enabled in all configurations, it has been common amongst the hosts we have tested. Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability,” Assetnote stated.

In June 2023, Citrix released a patch for the flaw, ShareFile storage zones controller version 5.11.24, warning that it could lead to a full application compromise. “A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller,” the company announced in an advisory.

In early July, Assetnote released proof-of-concept (PoC) code targeting the vulnerability. Since then, additional PoC exploits have been released, increasing the chances of exploitation in the wild. Greynoise has now created a tag for CVE-2023-24489 to track the exploitation in the wild, and the first exploit attempts were recorded earlier this week. “GreyNoise has observed IPs attempting to exploit this vulnerability. Two have never seen GreyNoise before this activity,” the threat intelligence firm reported.

Citrix ShareFile customers using storage zones controllers are advised to update their installations as soon as possible to protect against this vulnerability.

Latest News

• Zimbra Addresses Zero-Day Vulnerability Exploited in XSS Attacks
• US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions
• Two Privilege Escalation Vulnerabilities Discovered in Linux Ubuntu, Impacting 40% of Users
• SEC Implements New Rule for Cybersecurity Incident Disclosure
• Critical Vulnerabilities in Microsoft Message Queuing Allow for Remote Attacks