Unauthenticated attackers are exploiting a critical remote code execution (RCE) bug, CVE-2023-3519, with thousands of Citrix Netscaler ADC and Gateway servers likely vulnerable. The Shadowserver Foundation, a non-profit dedicated to improving internet security, revealed that at least 15,000 appliances were potentially exposed to attacks leveraging the flaw based on their version information. The organization stated, "We tag all IPs where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions," adding that it's safe to assume all instances that still provide version hashes may be vulnerable. They also acknowledged they might be underestimating the number of exposed servers.
Citrix released security updates to address this RCE vulnerability on July 18th, stating that "exploits of CVE-2023-3519 on unmitigated appliances have been observed" and urged customers to install the patches as soon as possible. The company clarified that unpatched Netscaler appliances must be configured as a gateway or an authentication virtual server to be vulnerable to attacks.
The CVE-2023-3519 RCE zero-day was likely available online since early July when a threat actor started advertising the Citrix ADC zero-day flaw on a hacker forum. Citrix was reportedly aware of the zero-day advertisement and was working on a patch before releasing an official disclosure. On the same day, Citrix also patched two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467. The former allows attackers to launch reflected cross-site scripting (XSS) attacks by tricking targets into loading a malicious link in the web browser, while the latter allows privilege elevation to gain root permissions. However, the latter requires authenticated access to the vulnerable appliances' management interface.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure Citrix servers on their networks against ongoing attacks by August 9th, warning that the bug was already used to breach the systems of a U.S. critical infrastructure organization. CISA stated in an advisory, "In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance," adding that the actors attempted to move laterally to a domain controller but were blocked by network-segmentation controls for the appliance.