Governance & Risk Management , Patch Management

Patched Citrix NetScaler Devices Still Contain Backdoors

Online Scans Show More Than 1,200 Patched NetScaler Devices Are Backdoored
Patched Citrix NetScaler Devices Still Contain Backdoors
Image: Shutterstock

Hackers moved faster than system administrators to exploit a zero-day vulnerability in Citrix NetScaler appliances by dropping web shells that remain active even after a patch, warn Dutch security researchers.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Online scans conducted by Delft-based Fox-IT and the nonprofit Dutch Institute for Vulnerability Disclosure show more than 1,200 patched NetScaler devices containing a backdoor inserted by hackers. Attackers appear to have automated exploitation of a flaw allowing them to execute arbitrary commands through a web shell, "even when a NetScaler is patched and/or rebooted."

Tracked as CVE-2023-3519 and patched in July, the flaw affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers. Security firms and the U.S. federal government were quick to urge system administrators to patch immediately. The Citrix NetScaler "product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly," said Rapid7. Fox-IT counted more than 31,000 vulnerable NetScaler devices globally that were vulnerable to the zero-day flaw as of July 21.

As of Aug. 14, Fox-IT said, 1,828 NetScaler instances were compromised with a backdoor, and 1,248 of them had been patched. The firm released a script to detect indicators of compromise, as has Mandiant.

Online scanning shows most of the compromised NetScaler devices are located in Europe, although Fox-IT said the researchers "could not discern a pattern in the targeting." Hackers apparently using automated processes compromised the same instance multiple times while ignoring large volumes of vulnerable appliances.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.