On July 20, CISA warned about the exploitation of an unauthenticated remote code execution vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller and NetScaler Gateway. Attackers first exploited this vulnerability in June, when unidentified hackers used this as a zero-day to implant a webshell on a NetScaler appliance to collect and exfiltrate active directory data. This vulnerability is tracked as CVE-2023-3519 with a critical CVSS score of 9.8.
In the subsequent three days, Imperva saw a few thousand attacks targeting primarily US and Australian sites in the financial services, business, and telecommunications industries. Interestingly, despite being less than half of the attacking IPs, UK-based attackers accounted for almost 85% of the total exploitation attempts.
All of these vulnerabilities are blocked out of the box by Imperva Cloud WAF. Imperva WAF Gateway customers are automatically protected if they are subscribed to ThreatRadar Emergency Feeds, otherwise they will need to manually enable the signatures. As an additional precaution, all NetScaler customers should install the recommended patches.
In October, NetScaler released a patch for CVE-2023-4966, which is a sensitive information disclosure vulnerability with a CVSS score of 9.4. This vulnerability is also blocked out of the box by Imperva Cloud WAF, and the policy for SecureSphere customers will need to be enabled, if it is not already.
Imperva is monitoring the situation and will provide updates as possible.
Try Imperva for Free
Protect your business for 30 days on Imperva.
