CISA warns of critical Citrix ShareFile flaw exploited in the wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security vulnerability red alert in Citrix ShareFile, a secure file transfer solution. This vulnerability, identified as CVE-2023-24489, has caught the attention of unknown threat actors who are actively targeting it. As a result, CISA has included this flaw in its list of known vulnerabilities exploited in real-world attacks.

Citrix ShareFile, a managed file transfer SaaS cloud storage service, allows secure uploading and downloading of files for customers and employees. Additionally, its 'Storage zones controller' feature enables enterprises to configure private data storage, either on-premise or on supported cloud platforms like Amazon S3 and Windows Azure.

The flaw tracked as CVE-2023-24489, was flagged by Citrix in a security advisory on June 13, 2023. With a critical severity rating of 9.8/10, the vulnerability could potentially permit unauthenticated attackers to compromise customer-managed storage zones. The flaw is rooted in a cryptographic bug within ShareFile's AES encryption implementation, allowing attackers to upload arbitrary files and gain full remote code execution privileges.

Given that threat actors frequently exploit such vulnerabilities, CISA emphasises the significant risk posed to federal entities. Managed file transfer (MFT) solutions are particularly concerning due to their exploitation history in data theft and extortion attacks. The Clop ransomware operation, for instance, has targeted MFT vulnerabilities extensively, exploiting them in large-scale data theft campaigns.

AssetNote, a cybersecurity firm, reported the vulnerability to Citrix. Notably, AssetNote's detailed analysis provided enough information for malicious actors to potentially craft exploits. This was followed by other researchers releasing their exploits on GitHub.

GreyNoise, a security monitoring service, observed a notable increase in exploitation attempts after CISA's warning. The attempts to exploit the Citrix ShareFile vulnerability primarily originated from IP addresses in South Korea, Finland, the United Kingdom, and the United States.

While there have been no publicly reported instances of exploitation or data theft related to this vulnerability, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply patches for CVE-2023-24489 by September 6, 2023. Organisations at large are strongly advised to apply the updates promptly, considering the targeted nature of such vulnerabilities.