Thousands of Citrix Servers Exposed to Zero-Day Bug

Written by

Over 15,000 Citrix servers worldwide are at risk of compromise unless administrators patch urgently, a leading security non-profit has warned.

The Shadowserver Foundation trawls the internet for data on malicious activity. It revealed in a Twitter post on Friday that, of the impacted servers, the largest number were based in the US (5700) followed by Germany (1500), the UK (1000) and Australia (582).

Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface

“This assessment is version based – that is we tag all IPs where we see a version hash in a Citrix instance. This is due to the fact that Citrix has removed version hash information in recent revisions, including the latest update with the fix,” the non-profit explained in a longer note on its website.

“It is thus safe to assume in our view that all instances that still provide version hashes have not been updated and thus, providing no mitigation is in place, remain vulnerable. In addition, we have also added tagged as vulnerable instances that return a ‘Last Modified’ headers with a date before July 1, 2023 00:00:00Z. Make sure to update.”

Citrix posted an advisory about the vulnerability (CVE-2023-3519), and two others, on July 18. The unauthenticated remote code execution bug has a CVSS score of 9.8, marking it down as critical.

It impacts NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) and emerged as a zero-day vulnerability in early July after being advertised online by a threat actor.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The two other vulnerabilities listed in the advisory are CVE-2023-3466, a reflected cross-site scripting bug, and CVE-2023-3467, which enables privilege escalation to root administrator.

What’s hot on Infosecurity Magazine?