Thousands of Citrix Netscaler ADC and Gateway servers exposed online are likely vulnerable to a critical remote code execution (RCE) bug exploited by unauthenticated attackers in the wild as day zero.

Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to improving internet security, revealed this week that at least 15,000 devices were identified as being exposed to attacks exploiting the flaw (CVE-2023-3519) based on their version information.

“We mark all IP addresses where we see a version hash in a Citrix instance. This is because Citrix removed the version hash information in recent revisions”, Shadowserver said.

“Thus, it is safe to assume, in our view, that any instances that still provide version hashes have not been updated and may be vulnerable.”

They also noted that they are also underestimating since some revisions known to be vulnerable but without a version hash were not tagged and added to the total exposed Citrix servers.

Citrix released security updates to address this RCE vulnerability on July 18, stating that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and urging customers to install patches as soon as possible.

The company added that unpatched Netscaler appliances must be configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or authentication virtual server (known as an AAA server) to be vulnerable to attacks.

The zero-day CVE-2023-3519 RCE had likely been available online since the first week of July, when a malicious actor started announcing the Citrix ADC zero-day flaw on a hacker forum.

BleepingComputer was also aware that Citrix had become aware of the zero-day ad and was working on a fix before making an official disclosure.

On the same day, Citrix patched two other very serious vulnerabilities identified as CVE-2023-3466 and CVE-2023-3467.

The former allows attackers to launch thoughtful cross-site scripting (XSS) attacks by tricking targets on the same networks into loading a malicious link into the web browser, while the latter allows privilege escalation to gain root permissions.

Although the second is much more impactful, it also requires authenticated access to the management interface of the vulnerable appliances via their IP address (NSIP) or a SubNet IP address (SNIP).

CISA also ordered U.S. federal agencies on Wednesday to secure Citrix servers on their networks against ongoing attacks by August 9, warning that the bug had already been used to breach the systems of a US critical infrastructure organization.

“In June 2023, threat actors exploited this vulnerability as zero day to drop a web shell on a critical infrastructure organization’s NetScaler ADC appliance,” CISA said in a statement. separate notice released Thursday.

“The webshell allowed the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller, but network segmentation controls for the appliance blocked the movement.”