Enterprise defenders must inspect each Citrix networking appliance to make sure it has not already been compromised, even after updating them to fix the major vulnerability. Researchers from Fox-IT, a division of NCC Group, claim that around 1,900 Citrix networking products all across the world have been backdoored as part of a broad automated campaign aimed at CVE-2023-3519.
Even after the appliance has been upgraded and/or restarted, the adversary can still remotely execute any instructions by using the Web shell. When the vulnerability was originally discovered and the patch deployed last month. In order to achieve persistence, the adversary seems to have taken advantage of weak Citrix NetScaler Application Delivery Controllers (ADC) and Citrix NetScaler Gateways and installed Web shells on them.