Ransomware, Vulnerability Management

CISA adds Citrix ShareFile flaw to the KEV catalog

A sign outside a Citrix office complex

Editor's note: Following publication of this story, ShareFile told SC Media that the fix for the CVE was released one month prior to public disclosure and that ShareFile worked with its customers to get them upgraded during that month.

The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday put a critical Citrix ShareFile secure file transfer vulnerability on its Known Exploited Vulnerabilities (KEV) catalog.

Tracked as CVE-2023-24489, the critical Citrix vulnerability has a 9.8 CVSS score and, if exploited, could let an unauthenticated attacker remotely compromise the customer-managed ShareFile storage zones controller.

In its advisory on Aug. 16, CISA said these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal enterprises. 

On June 13, Citrix issued an advisory that said the issue has been addressed in ShareFile storage zones controller 5.11.24 and later versions and that its customers should upgrade to the fixed version. Citrix customers can use this link to make the upgrade.

Travis Smith, vice president of the threat research unit at Qualys, said security teams should be concerned that threat actors could exploit this vulnerability to deploy ransomware or exfiltrate data. Smith said Citrix ShareFile is a highly prevalent software with deployment globally in the private sector and at government agencies.  

“This is very similar to the MOVEit vulnerability that resulted in multiple data breaches,” Smith said. “The Qualys Threat Research Unit is closely monitoring the threat landscape to see if this is weaponized.”

John Gallagher, vice president of Viakoo Labs, added that while organizations need to patch, there’s still an open question as to how long threat actors will have to exploit this vulnerability. 

“Many organizations lack an inventory of their devices and applications, specifically around what versions they have,” explained Gallagher. “The ideal situation would be to have full visibility down to the firmware version number, combined with automated patching, and in the future, with SBOMs tied to each application.”  

As of now, CISA has not released any campaign data suggesting an actor has targeted this CVE, but determining the organization’s defensive readiness to protect, detect and respond to an adversarial pivot will be critical to mitigating any harm, said Patrick “Pat” Arvidson, chief strategist-evangelist at Interpres Security. Arvidson said the operational question here is whether a company can do the patch in an automated way, or if they need to initiate a spreadsheet exercise to determine their readiness.

“There’s a real risk that an adversary may pivot to this vulnerability before an organization is ready and patched” said Arvidson. “Some companies may already have controls in place that mitigate, while others may find themselves lacking. However, it should be noted that for federal agencies, this is a Binding Operational Directive, and they will have to patch under governance rules.”

Joe Saunders, chief executive officer at RunSafe Security, said if unpatched, security teams may face customers with service disruption or stolen data.

“With that said, the constant cycle of fixing and patching is draining,” said Saunders. “We need a way to eliminate exploitation of an entire class of vulnerabilities to minimize the operational impact on security with many competing priorities.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.