A critical zero-day vulnerability (CVE-2023-3519) in Citrix ADC and Gateway products enables unauthenticated remote code execution. Active exploitation observed in the wild affecting thousands of internet-facing systems.
A severe zero-day vulnerability has been discovered in Citrix Application Delivery Controller (ADC) and Gateway products that allows unauthenticated remote code execution. The vulnerability (CVE-2023-3519) affects all supported versions and has been actively exploited in the wild since at least early July 2023. Successful exploitation provides attackers with system-level access to affected devices, potentially compromising entire corporate networks. Citrix has released emergency patches and strongly urges immediate updates, as over 26,000 internet-facing devices remain vulnerable globally. Multiple threat actors, including state-sponsored groups, have been observed weaponizing this vulnerability for initial access, data exfiltration, and deploying ransomware payloads.
On July 18, 2023, Citrix released an emergency advisory regarding a critical zero-day vulnerability (CVE-2023-3519) affecting their ADC and Gateway products. The vulnerability allows unauthenticated attackers to execute arbitrary code remotely on affected systems, leading to complete system compromise.
The vulnerability exists in the management interface of affected products and can be exploited without authentication. Initial analysis suggests the flaw involves improper input validation in the management API, leading to remote code execution with SYSTEM/root privileges.
Attackers can exploit this vulnerability by sending specially crafted HTTP requests to the management interface. No user interaction is required, making this vulnerability particularly dangerous for internet-facing systems.
The potential impact of successful exploitation includes:
Multiple malicious packages discovered in PyPI and npm repositories executing credential theft and crypto mining payloads. Supply chain attacks leverage typosquatting and dependency confusion techniques to compromise development environments.
A critical authentication bypass vulnerability in ConnectWise ScreenConnect (CVE-2024-1709) is being actively exploited in the wild. The flaw allows attackers to gain unauthorized administrative access and execute remote code on affected systems.
Critical authentication bypass and command injection vulnerabilities in Ivanti Connect Secure VPN are being actively exploited in the wild. Threat actors are deploying web shells and maintaining persistence in compromised environments.
Chinese state-sponsored threat actor Salt Typhoon (aka Bronze Silhouette) conducts persistent intrusion campaign against US telecommunications providers. The group employs sophisticated living-off-the-land techniques and custom malware to maintain long-term access to critical infrastructure.