Citrix ShareFile RCE Vulnerability Exploited

Greynoise, a threat intelligence company, has reported that it has detected the initial attempts to exploit a critical remote code execution (RCE) vulnerability in Citrix ShareFile.

ShareFile is a widely-used cloud-based file-sharing and collaboration solution that allows users to store files in their own data centers using a storage zones controller, which is a .NET web application running under Internet Information Services (IIS).

The vulnerability is tracked as CVE-2023-24489 (CVSS score of 9.1) and wasdiscovered by the attack surface management firm, Assetnote. The vulnerability was caused by errors leading to unauthenticated file upload, which could then be exploited to achieve remote code execution.

According to Assetnote, there are potentially between 1,000 and 6,000 internet-accessible ShareFile instances that could be affected by this vulnerability. This makes ShareFile an attractive target for attackers, as these instances may store sensitive data.

Although the vulnerable endpoint is not enabled in all configurations, it has been found to be common among the hosts tested by Assetnote

Citrix promptly released a patch in June 2023 with the release of ShareFile storage zones controller version 5.11.24. The company warned that if exploited, the vulnerability could lead to a full application compromise.

Update - CISA is warning that a critical Citrix ShareFile secure file transfer vulnerability tracked as CVE-2023-24489 is being targeted by unknown actors and has added the flaw to its catalog of known security flaws exploited in the wild.

Unfortunately, in early July, proof-of-concept (PoC) code targeting the vulnerability was published by Assetnote, and since then, additional PoC exploits have surfaced. This has increased the likelihood of the vulnerability being exploited in the wild.