Multiple Citrix NetScaler ADC and Gateway servers have been compromised by attackers using a critical code injection vulnerability identified as CVE-2023-3519, reports the Shadowserver Foundation. This vulnerability, which Citrix addressed in a recent update, has a high severity rating of 9.8. The attacks mainly target servers in Germany, France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil, deploying web shells for unauthorized access.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously disclosed an attack using this vulnerability against a critical infrastructure entity in June 2023.
Additionally, GreyNoise observed attempts to exploit another significant Citrix vulnerability, CVE-2023-24489, in the Citrix ShareFile system. This flaw, rated 9.1, allows unauthenticated file uploads and remote code execution, and has been fixed in ShareFile version 5.11.24 onwards.
Assetnote, a company specializing in attack surface management, identified this vulnerability, linking it to a simpler form of a padding oracle attack. Security expert Dylan Pindur highlighted the importance of understanding the behavior of AES encryption in .NET, particularly with Cipher Block Chaining mode and PKCS#7 padding, to identify potential padding oracle attacks.
The Shadowserver Foundation further updated that nearly 7,000 unpatched NetScaler ADC and Gateway instances remain online, with CVE-2023-3519 being actively exploited to install PHP web shells for remote access.