Despite the availability of patches, approximately 15,000 Citrix servers accessible over the internet remain unprotected against known security vulnerabilities. Citrix warned about three actively exploited weaknesses in its Netscaler ADC and Netscaler Gateway products last week. One of these, CVE-2023-3519, rated critical with a CVSS score of 9.8, allows attackers to execute malicious code (RCE) and still affects around 15,000 unpatched Citrix servers globally, including about 1,500 in Germany, as per Shadowserver researchers.
These researchers utilized the fact that Citrix removed version information hashes in recent software updates to identify vulnerable servers. Instances still providing version hashes were deemed outdated and potentially at risk. Initially, they marked 11,170 susceptible servers. However, their method underestimated the number, as some older Citrix instances without version hashes were also vulnerable. The researchers later refined their approach, flagging all IPs showing ‘Last-Modified’ headers dated before July 1, 2023, as vulnerable, revealing at least 15,000 vulnerable Citrix servers.
This situation gained further gravity as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2023-3519 in its catalog of known and actively exploited vulnerabilities after an incident involving a critical U.S. infrastructure organization, where attackers exploited the flaw to create a webshell on a Netscaler ADC appliance. This allowed them to steal data from the target system’s Active Directory.
Citrix has been urging administrators to apply patches released since July 18, addressing CVE-2023-3519 and two other dangerous vulnerabilities (CVE-2023-3466 and CVE-2023-3467). The issue became more pressing with evidence of cybercriminals actively exploiting CVE-2023-3519 since early July.
The vulnerabilities affect various versions of NetScaler ADC and NetScaler Gateway, and Citrix has provided fixed product versions for them. Rapid7, a cybersecurity analysis firm, identified CVE-2023-3519 as a critical zero-day vulnerability, urging immediate updates due to its severe risk and popular exploitation among threat actors. The Shadowserver Foundation discovered over 15,000 vulnerable Citrix Netscaler ADC and Gateway servers worldwide, with the largest numbers in the U.S., Germany, the U.K., and Australia. This vulnerability, described as a straightforward unauthenticated stack overflow, is easily exploitable, making prompt patch application critical for security.