2000+ Citrix NetScalers Hacked to Deploy Webshell to Establish Persistent Communication

It has been discovered that an attacker installed web shells on susceptible Citrix NetScalers, exploiting the CVE-2023-3519 flaw to acquire persistent access. 

This critical zero-day vulnerability poses a significant risk as it can enable remote code execution (RCE) on both NetScaler ADC and NetScaler Gateway.

Exploiting this vulnerability, malicious actors have been successful in implanting web shells into the crucial infrastructure of an organization.

Even after a NetScaler has been patched and/or rebooted, the attacker can still run arbitrary commands using this web shell

According to Fox-IT (part of NCC Group), in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD) reports that more than 1900 NetScalers are still backdoored.

Detecting NetScalers with Backdoors

Based on the findings, the attacker had automated exploitation on a massive scale. Although the identified web shells return a 404 Not Found, the response still differs from how Citrix servers typically react to a request for a file that does not exist. 

Moreover, unless supplied with the right arguments, the web shell won’t run any commands on the target system.

“Approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519”, Fox-IT reports.

“This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation.”

NetScalers Vulnerable to (CVE-2023-3519) || Source: Fox-IT

While patches were being applied, exploitation took place at a large scale between July 20th and July 21st.

A total of 2491 web shells have been discovered among 1952 distinct NetScalers. On July 21st, were 31127 NetScalers susceptible to CVE-2023-3519 worldwide, indicating that the exploitation effort affected 6.3% of all vulnerable NetScalers.

The vast majority of vulnerable NetScalers are located in Europe. Only two of the top 10 impacted nations are outside of Europe. Furthermore, there is no specific industry that is being targeted.


Hence, this highlights that even when Citrix servers are upgraded, backdoors can continue functioning. 

Because of this, it is recommended that every NetScaler administrator do a fundamental assessment of their NetScalers.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.