Hundreds of Citrix Endpoints Compromised With Webshells

Written by

Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.

The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.

The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.

As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.

Subscribe to the Infosecurity Magazine newsletter here. 

Vulnerability Patching 

The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.

Warning from Shadowserver 

The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.

Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface

The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”

That attack happened back in June 2023.

Editorial image credit: Ken Wolter /

What’s hot on Infosecurity Magazine?