Over 640 Citrix servers backdoored with web shells in ongoing attacks

Share:

Hundreds of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a series of attacks targeting a critical remote code execution (RCE) vulnerability tracked as CVE-2023-3519.

The vulnerability was previously exploited as a zero-day to breach the network of a U.S. critical infrastructure organization.

Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, now disclosed that attackers had deployed web shells on at least 640 Citrix servers in these attacks.

“We can say it’s fairly standard China Chopper but we do not want to disclose more under the circumstances. I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately,” Shadowserver CEO Piotr Kijewski told BleepingComputer.

China Chopper web shell example
China Chopper web shell example (BleepingComputer)

​”We report on compromised appliances with webshells in your network (640 for 2023-07-30). We are aware of widespread exploitation happening July 20th already,” Shadowserver said on their public mailing list.

“If you did not patch by then please assume compromise. We believe the actual amount of CVE-2023-3519 related webshells to be much higher than 640.”

About two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. However, that number has since dropped to under 10,000, indicating some progress in mitigating the vulnerability.

Map of compromised Citrix servers
Map of compromised Citrix servers (Shadowserver)

​Citrix released security updates on July 18th to address the RCE vulnerability, acknowledging that exploits had been observed on vulnerable appliances and urging customers to install the patches without delay.

The vulnerability primarily impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).

In addition to addressing CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.

In response to ongoing attacks, CISA ordered U.S. federal agencies to secure Citrix servers on their networks by August 9th.

The warning also highlighted that the vulnerability had already been exploited to breach the systems of a U.S. critical infrastructure organization.

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance,” CISA said.

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”

Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.

This highlights the pressing need for security teams to make patching Citrix servers a top priority on their to-do lists.

 

(c) Lawrence Abrams

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:13 pm, Jul 6, 2025
weather icon 17°C
L: 16° | H: 19°
broken clouds
Humidity: 70 %
Pressure: 1007 mb
Wind: 4 mph WSW
Wind Gust: 6 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 60%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:51 am
Sunset: 9:18 pm
DailyHourly
Daily ForecastHourly Forecast
Tomorrow 10:00 pm
weather icon
16° | 19°°C 0.99 mm 99% 13 mph 92 % 1015 mb 0 mm/h
Tue Jul 08 10:00 pm
weather icon
13° | 24°°C 0.2 mm 20% 11 mph 76 % 1020 mb 0 mm/h
Wed Jul 09 10:00 pm
weather icon
15° | 26°°C 0 mm 0% 6 mph 66 % 1023 mb 0 mm/h
Thu Jul 10 10:00 pm
weather icon
19° | 31°°C 0 mm 0% 8 mph 63 % 1024 mb 0 mm/h
Fri Jul 11 10:00 pm
weather icon
20° | 30°°C 0 mm 0% 12 mph 54 % 1023 mb 0 mm/h
Tomorrow 1:00 am
weather icon
17° | 17°°C 0 mm 0% 9 mph 70 % 1007 mb 0 mm/h
Tomorrow 4:00 am
weather icon
16° | 17°°C 0.31 mm 31% 8 mph 78 % 1007 mb 0 mm/h
Tomorrow 7:00 am
weather icon
14° | 14°°C 0.99 mm 99% 10 mph 92 % 1009 mb 0 mm/h
Tomorrow 10:00 am
weather icon
17° | 17°°C 0.33 mm 33% 12 mph 53 % 1011 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
22° | 22°°C 0 mm 0% 13 mph 37 % 1012 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
20° | 20°°C 0 mm 0% 10 mph 41 % 1013 mb 0 mm/h
Tomorrow 7:00 pm
weather icon
20° | 20°°C 0 mm 0% 7 mph 45 % 1014 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
17° | 17°°C 0 mm 0% 11 mph 49 % 1015 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€92,308.35
0.57%
Ethereum(ETH)
€2,162.37
1.57%
Tether(USDT)
€0.85
-0.01%
XRP(XRP)
€1.93
2.74%
Solana(SOL)
€128.72
3.06%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.144767
3.83%
Shiba Inu(SHIB)
€0.000010
3.10%
Pepe(PEPE)
€0.000008
3.89%
Scroll to Top