Greynoise, a renowned threat intelligence firm, has started observing initial attempts to exploit a newly identified critical remote code execution (RCE) flaw in Citrix ShareFile, a widely used cloud-based solution for file sharing and collaboration.
ShareFile provides its users with the capability to store files in their personal data centers through a storage zones controller, essentially a .NET web application that runs under Internet Information Services (IIS).
The vulnerability, labelled as CVE-2023-24489 and carrying a CVSS score of 9.1, is due to mistakes leading to unauthenticated file upload that could be leveraged to achieve RCE, explains Assetnote, the attack surface management company that discovered and reported the bug.
The cybersecurity firm estimates that between 1,000 and 6,000 ShareFile instances are accessible online, possibly making it a lucrative target for cyber attackers, considering the sensitive data it could be storing.
“The endpoint [vulnerable] is not active in all configurations, but it was prevalent among the hosts we evaluated. The substantial number of online instances and the exploit’s reliability have caused a significant impact from this vulnerability,” Assetnote asserts.
Citrix addressed the flaw in June 2023 with the roll-out of ShareFile storage zones controller version 5.11.24, cautioning that it might result in a complete application compromise.
The company issued an advisory, stating, “A vulnerability has been identified in the customer-managed ShareFile storage zones controller that could allow an unauthenticated attacker to remotely compromise the controller.”
Assetnote released proof-of-concept (PoC) code aimed at the vulnerability in early July, and multiple PoC exploits have since been rolled out, escalating the likelihood of real-world exploitation.
Now, with the creation of a tag for CVE-2023-24489, Graynoise is tracking in-the-wild exploitation, and the initial exploit attempts were recorded earlier this week.
“GreyNoise has detected IPs attempting to exploit this vulnerability. Two have never been seen by GreyNoise before this activity,” the threat intelligence firm reports.
Citrix ShareFile clients who use storage zones controllers are strongly advised to promptly update their installations.