Citrix Zero-Day: 7K Instances Remain Exposed, 460 Compromised

Many organizations have failed to patch a critical zero-day vulnerability, allowing hackers to install Web shells on hundreds of endpoints.

Several threat groups are actively exploiting a critical vulnerability in Citrix networking products. Three weeks after Citrix released a patch for its NetScaler ADC and NetScaler Gateway, researchers say nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.
On July 18, cloud computing company Citrix
published a patch
for
CVE-2023-3519
, a Critical 9.8 CVSS-scored zero-day vulnerability, which allows for unauthenticated remote code execution (RCE) in Citrixs NetScaler application delivery controller (ADC) and gateway products.
Since the patch was released, a number of
researchers have demonstrated
how the
vulnerability can be exploited
. And attackers — rarely known to pass up an opportunity — have jumped to take advantage of the flaw, installing hundreds of web shells inside of corporate networks and
carrying out dozens of exploits already
.
And yet, according to
data from the Shadowserver Foundation
, thousands of exposed NetScaler instances remain unpatched today, and many organizations remain at the mercy of attackers who are installing web shells, and executing commands on internal networks at will.
Its a complex case, given that Citrix is used in a lot of prominent organizations, says Piotr Kijewski, the CEO at Shadowserver. We saw quite a few big names that were still vulnerable even a few days ago, including hospitals — these kinds of important institutions. So the potential consequences could be big, if somebody attacks these organizations with ransomware a month from now.
At peak, Shadowserver tracked nearly 18,000 exposed, unpatched instances of NetScaler ADC and Gateway IPs. That number has been falling steadily, but not quickly, as nearly 7,000 remain today, primarily located in North America (2,794) and Europe (2,670).
For weeks, researchers have documented cases of hackers who are actively compromising these exposed network devices. Just 10 days after the initial disclosure, Shadowserver discovered nearly 700 Web shells installed on NetScaler IPs and are presumed to be associated with instances of CVE-2023-3159 compromises. In the time since that number has fallen, but only by 33%.
Where initial compromises
centered primarily in the EU region
(Germany, Switzerland, Italy, and France were the foremost targets) the overwhelming majority of IPs still exposed as of Monday reside in the United States — 2,600 total, compared with 630 in Germany and 425 in the United Kingdom.
Meanwhile, Shadowserver honeypots recorded an
increase in the number of active exploitation attempts
, with a dozen cases on Sunday alone.
Kijewski predicts there will be more compromises to come — both for this CVE and others like it in the future. He points to
this springs MOVEit file transfer vulnerability
as a model.
Threat actors — whether state-sponsored or criminal groups — are dedicating time, money, resources, and skills to this, he explains. Its been a shift in the last year. Exploits used to be more in the hands of the either well-funded state actors, or researchers whod release an exploit and then everybody jumps in on the bandwagon. Now even the criminal groups seem to be interested in really targeted vulnerabilities, and reversing them themselves, specifically against code that is usually run in large organizations.
In addition to patching (which may be too late, in many cases), Shadowserver advises that Citrix customers engage their incident response teams, and, if compromised, set up either a new system from scratch, or reboot from a safe backup or snapshot. Todays Web shells, they emphasize, will be tomorrows cyberattacks.
We expect these webshells to be utilized when the timing suits the attacker, Shadowserver wrote in its latest update. This may also happen after all the initial interest has died down and system administrators/security responders are no longer looking closely at their Citrix devices. Make sure you fix your Citrix device before the attacker does it for you.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Citrix Zero-Day: 7K Instances Remain Exposed, 460 Compromised