Scroll Top

Over 600+ Citrix servers compromised in ongoing attacks: urgent security update required


A critical remote code execution (RCE) vulnerability, known as CVE-2023-3519, has become the target of a series of attacks, leading to the compromise and backdooring of hundreds of Citrix Netscaler ADC and Gateway servers. Security experts from the Shadowserver Foundation, a nonprofit organization focused on advancing internet security, have reported that attackers utilized web shells to compromise at least 640 Citrix servers during these attacks.

Initially used as a zero-day attack on a critical infrastructure organization’s network in the United States, the vulnerability has now been widely exploited since July 20th. Shadowserver CEO, Piotr Kijewski, remarked, “We can say it’s fairly standard China Chopper, but we do not want to disclose more under the circumstances. I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately.”

The situation prompted Shadowserver to issue a public mailing list warning, urging Citrix appliance users to patch their systems immediately. They stated, “We report on compromised appliances with webshells in your network (640 for 2023-07-30). We are aware of widespread exploitation happening July 20th already. If you did not patch by then, please assume compromise. We believe the actual amount of CVE-2023-3519 related web shells to be much higher than 640.”

Citrix has confirmed that approximately 15,000 Citrix appliances were initially vulnerable to the CVE-2023-3519 attack, but that number has decreased to below 10,000 over the past two weeks, showing some improvement in mitigating the vulnerability. Most of the affected servers are located in the United States and Germany.

The specific details of the ongoing attacks reveal that threat actors exploited the CVE-2023-3519 vulnerability as a zero-day in June 2023, deploying a web shell on a critical infrastructure organization’s NetScaler ADC appliance. The web shell allowed the attackers to access the victim’s active directory (AD) and exfiltrate sensitive AD data. Although they attempted to move laterally to a domain controller, network-segmentation controls for the appliance thwarted their efforts.

Citrix has since issued security updates on July 18th to address the RCE vulnerability, acknowledging that exploits were observed on vulnerable appliances. The company strongly urges all affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updates as soon as possible.

This critical situation has caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has given federal agencies until August 9th to safeguard Citrix servers on their networks in response to the continuous attacks.

Additionally, ransomware gangs, such as REvil and DoppelPaymer, have previously exploited similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks. Therefore, strongly advises concerned customers to promptly install the necessary updates to protect their systems from potential cyber threats.

As the attacks persist, it is crucial for organizations using Citrix Netscaler ADC and Gateway servers to take immediate action by applying the provided security updates and implementing necessary security measures to safeguard their networks and data from exploitation.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.