Last week, CISA published a Cybersecurity Advisory (CSA) to warn network defenders about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway.

In June 2023, threat actors exploited CVE-2023-3519 (CVSS score: 9.8), an unauthenticated remote code execution vulnerability, as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance, according to the advisory. The webshell enabled the threat actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The attackers attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement. The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

Highlighting the widespread risk of this vulnerability, multiple researchers have been closely tracking the attack surface and it’s believed that nearly 20,000 Citrix servers may be exposed to CVE-2023-3519 exploitation based on version information, with most of the servers located in the U.S. and Germany.

This advisory provides tactics, techniques, and procedures (TTPs) and a victim-created detection guidance is provided to help network defenders check for signs of compromise. If no compromise is detected, organizations should immediately apply patches provided by Citrix. CISA recommends that all organizations review the advisory, check to determine if this activity is on their networks, conduct incident response if compromise is detected, and implement recommended mitigations. To report incidents and anomalous activity, please contact CISA, either through the agency’s Incident Reporting System or the 24/7 Operations Center at report@cisa.gov or (888) 282-0870. Access the full advisory at CISA.