More than 1,950 Citrix NetScaler
instances have been compromised with a backdoor in attacks leveraging the critical zero-day flaw, tracked as CVE-2023-3519, accounting for nearly 6.3% of all vulnerable appliances, while almost 2,500 web shells were observed across the infected appliances, SecurityWeek
Aside from infections remaining in over 1,800 NetScalers, almost 69% of instances that have been patched against the zero-day continued to have the backdoor, according to a report from NCC Group.
"This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation," said NCC Group.
Meanwhile, a new Mandiant tool for detecting post-exploitation activity for CVE-2023-3519 in Citrix NetScaler, which also includes indicators of compromise, revealed that Germany, France, Switzerland, Japan, and Italy had the most infections, while virtually no infected appliances were observed in the U.S., Canada, and Russia.