Connect with us

Hi, what are you looking for?


Malware & Threats

2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability

A threat actor has exploited a recent Citrix vulnerability (CVE-2023-3519) to infect roughly 2,000 NetScaler instances with a backdoor.

A threat actor has automated the exploitation of a recent Citrix vulnerability and has infected roughly 2,000 NetScaler instances with a backdoor, British information assurance firm NCC Group reports.

Tracked as CVE-2023-3519, the critical vulnerability was disclosed last month as a zero-day, being exploited since June 2023, including in attacks against critical infrastructure organizations.

The issue allows unauthenticated, remote attackers to execute arbitrary code on vulnerable Citrix Application Delivery Controller (ADC) and Gateway appliances that are configured as a gateway or AAA virtual server.

Roughly a week after Citrix released patches for the bug, cybersecurity firm Bishop Fox warned that it had identified more than 20,000 Citrix appliances vulnerable to a new exploit.

Now, NCC Group says it has observed an automated exploitation campaign in which more than 1,950 NetScaler instances were compromised, representing roughly 6.3% of the 31,000 vulnerable appliances identified at the beginning of the exploitation campaign.

The company identified close to 2,500 webshells on the compromised instances, and says that more than 1,800 of them remain infected. Starting August 10, the Dutch Institute of Vulnerability Disclosure has been notifying the impacted organizations of NCC Group’s findings.

More worrying, the cybersecurity firm says, is that roughly 69% of the infections occurred before the impacted organizations applied the provided patch. However, the backdoor has not been removed.

Advertisement. Scroll to continue reading.

“This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation,” NCC Group says.

The large number of NetScaler instances infected before being patched also shows that the mass exploitation campaign took place around the same time that Citrix released the fixes.

“The high percentage of patched NetScalers that have been backdoored is likely a result of the time at which mass exploitation took place. From incident response cases, we can confirm Shadowserver’s prior estimate that this specific exploitation campaign took place between late July 20th and early July 21st,” NCC Group notes.

Mandiant on Monday released a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. Google-owned Mandiant says the tool, available on GitHub, contains indicators of compromise (IOCs) collected during Mandiant’s investigations and sourced elsewhere.

Most of the identified infections are in Europe, with Germany, France, and Switzerland impacted the most. Japan and Italy round up the top five. Canada, Russia, and the US have virtually no infected NetScaler instances.

*Updated with details of tool released by Mandiant

Related: Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Related: Citrix Patches Critical Vulnerability in Secure Access Client for Ubuntu

Related: Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...