Citrix ShareFile vulnerability being exploited amid warnings of a “huge spike” in attacks

Pre-auth RCE in Citrix ShareFile has the potential to be the next MOVEit, or Accellion, or GoAnywhere, or Aspera Faspex, or...

Citrix ShareFile vulnerability being exploited amid warnings of a “huge spike” in attacks

Yet another enterprise file sharing software product is being actively exploited in the wild, CISA has confirmed, with a Citrix ShareFile vulnerability allocated CVE-2023-24489 coming under attack.

Researchers at Greynoise said they were seeing a “huge spike” in attack attempts today (August 16), many from South Korean IP ranges.

The Citrix ShareFile vulnerability was reported by Dylan Pindur of Assetnote and fixed by Citrix in June. The CVSS 9.8 bug lets an unauthenticated, remote attacker breach the file sharing software.

CVE-2023-24489, stems from errors in ShareFile’s handling of cryptographic operations (detailed by Pindur here.)

It affects all customer-managed ShareFile storage zones controllers before 5.11.24. Approximately 6,000 organisations were seen to have publicly exposed instances at the time of initial disclosure in early July.

(Citrix describes ShareFile on its product page as helping users “avoid risks like data theft, phishing attacks, or credential theft by taking the security guesswork out of file sharing” and providing “security for your most sensitive deals, including M&A, clinical studies, fundraising…”)

ShareFile exploitation follows recent successful attacks on similar products including IBM’s Aspera Faspex (exploiting CVE-2022-47986; also reported by Assetnote), on Fortra’s GoAnywhere MFT application, on Progress Software’s MOVEit (over 670 organizations, 46 million individuals affected, according to data from cybersecurity company Emsisoft) and on Accellion.

Those who have not updated should urgently do so.

Previous such attacks including on MOVEit were made by ransomware gangs like Cl0P which has been leaking huge amounts of victim data this of those who did not pay up to prevent its release.

See also: As victim count mounts, a critical new MOVEit bug emerges - with US federal agencies compromised