Pierluigi Paganini August 16, 2023

A threat actor has compromised roughly 2,000 Citrix NetScaler servers exploiting a remote code execution tracked as CVE-2023-3519.

In July Citrix warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild

The vulnerability CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution. The IT giant warns of the availability of exploits for this vulnerability that have been observed in attacks against unmitigated appliances. The company added that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the report published by Citrix.

The Citrix Cloud Software Group is strongly urging affected customers to install the relevant updated versions as soon as possible. 

The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems.

Now, NCC Group researchers warned of an ongoing massive campaign that already compromised more than 1,950 NetScaler instances, while at the time of these attacks, 31127 NetScalers were vulnerable to CVE-2023-3519.

“Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access.” reads the advisory published by NCC. “The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored.“

Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.

As of August 14th, 1828 Citrix NetScalers are still compromised, and of the backdoored NetScalers, 1248 are patched for CVE-2023-3519.

“At the time of writing, approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519. This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation.” continues the report.

The high percentage of patched NetScalers that have been compromised is likely a result of the time at which the campaign took place, between late July 20th and early July 21st.

As of August 14, most of the backdoored instances are in Germany, France and Switzerland.

“CVE-2023-3519 was exploited in targeted attacks before a patch was available and was later exploited on a large scale. System administrators need to be aware that adversaries can exploit edge devices to place backdoors that persist even after updates and / or reboots.” concludes the report.”As of now, it is strongly advised to check NetScalers, even if they have been patched and updated to the latest version.”

Mandiant this week released a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NetScaler)