At least 15,000 Citrix servers are exposed to attacks exploiting a recently disclosed zero-day vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway products.
Networking equipment maker Citrix released security updates last week to fix said zero-day tracked as CVE-2023-3519, as well as two less severe vulnerabilities (CVE-2023-3466 and CVE-2023-3467). The zero-day flaw is a code injection issue that can lead to remote code execution, while two other flaws are cross-site scripting and improper access control issue that could be used by a remote hacker to carry out cross-site scripting (XSS) attacks or escalate privileges on the system.
The US Cybersecurity and Infrastructure Security Agency (CISA) said that CVE-2023-3519 was exploited against a critical infrastructure organization. Threat actors exploited this vulnerability to drop a web shell on a non-production environment NetScaler ADC appliance. The web shell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.
According to the data from the non-profit organization Shadowserver Foundation, there are more than 15,000 Citrix servers susceptible to attacks using CVE-2023-3519. Most of the vulnerable servers are located in the United States (5,700), Germany (1,500), the UK (1,000), and Australia (585).