Approximately 2,000 instances of Citrix NetScaler have fallen victim to a backdoor compromise. This incident arises from the exploitation of a critical security vulnerability, CVE-2023-3519, that was recently disclosed. The breach was executed as part of a large-scale attack, emphasizing the increasing sophistication of cyber adversaries.

NCC Group, a renowned cybersecurity firm, indicated that the adversary behind this breach appears to have automated the exploitation process. By capitalizing on the vulnerability, the attackers managed to implant web shells onto vulnerable NetScalers, effectively establishing persistent access. This injected web shell enables the adversary to execute arbitrary commands, granting them control even in cases where a NetScaler has been patched or rebooted.

CVE-2023-3519 pertains to a critical code injection flaw affecting NetScaler ADC and Gateway servers. It exposes these systems to the risk of unauthenticated remote code execution. Citrix reacted promptly to this vulnerability, issuing a patch last month to mitigate the risk.

This news follows closely on the heels of a revelation made by the Shadowserver Foundation, which identified nearly 7,000 unpatched and vulnerable NetScaler ADC and Gateway instances online. These instances are being actively exploited to deploy PHP web shells onto compromised servers and granting remote access to attackers.

Backdoor Still Exist in NetScaler Servers

NetScaler servers still harbor the backdoor, despite approximately 1,248 of them having undergone the patching process. This underscores a gap in the security posture, indicating that while administrators addressed the vulnerability, the threat of successful exploitation remained unchecked.

A total of 2,491 web shells have been identified across 1,952 distinct NetScaler appliances. Geographically, the compromised instances are predominantly concentrated in European nations such as Germany, France, Switzerland, and others. Intriguingly, while Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers, no instances of web shell compromise were detected on these systems.

The scope of this mass exploitation campaign is estimated to have impacted approximately 6.3% of the 31,127 NetScaler instances susceptible to CVE-2023-3519 as of July 21, 2023.

The disclosure aligns with Mandiant’s recent release of an open-source tool intended to aid organizations in scanning their Citrix appliances for signs of post-exploitation activity related to CVE-2023-3519.