Attackers are actively exploiting a code injection vulnerability in Citrix Netscaler ADC and Gateway servers to gain remote access and exfiltrate data. The remote code execution (RCE) vulnerability is being tracked under CVE-2023-3519.
Security researchers from the non-profit Shadowserver Foundation estimate attackers have used the vulnerability to deploy web shells on at least 640 Citrix servers, with thousands of unpatched servers potentially impacted.
According to the Cybersecurity & Infrastructure Security Agency (CISA), attackers have already used the vulnerability to breach the network of an unnamed U.S. critical infrastructure organization.
“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement”, CISA said.
The vulnerability affects mainly Netscaler appliances running as gateways or authentication (AAA) virtual servers.
Citrix released a patch for the RCE vulnerability on July 18, 2023, along with two other high-severity vulnerabilities related to reflected XSS (CVE-2023-3466) and privilege escalation (CVE-2023-3467).