<p>The Cybersecurity and Infrastructure Security Agency (CISA) recently released a security advisory that indicates that threat actors have been exploiting a <a href="https://gbhackers.com/zero-day-vulnerability-citrix-netscaler/">Zero-day vulnerability in Citrix</a> ADC (Application Delivery Controller) and NetScaler Gateways. </p> <p>A vulnerability was discovered that enabled the placement of a webshell on a non-production environment of a critical infrastructure organization. This was reported to CISA and Citrix Systems.</p> <p>Threat actors exploited an unauthenticated, remote code execution vulnerability to drop these webshells on the environment and also attempted to laterally move to the domain controller. However, it was blocked due to network-segmentation controls.</p> <h2><strong><a href="https://gbhackers.com/citrix-secure-access-flaw/">CVE-2023-3519</a>: Code Injection Vulnerability</strong></h2> <p>This vulnerability can be exploited by a threat actor if the appliance is configured as a Gateway (VPN Virtual Server, RDP proxy etc.,) or Authentication, Authorization and Auditing (AAA) Server. The CVSS Score for this vulnerability is given as 9.8 (<strong>Critical</strong>).</p> <p>Citrix systems has <a href="https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467">released patches</a> for fixing this vulnerability. </p> <h2><strong>Affected Products</strong></h2> <ul> <li>NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 </li> <li>NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13</li> <li>NetScaler ADC and NetScaler Gateway version 12.1, now end of life</li> <li>NetScaler ADC 13.1-FIPS before 13.1-37.159</li> <li>NetScaler ADC 12.1-FIPS before 12.1-65.36</li> <li>NetScaler ADC 12.1-NDcPP before 12.65.36</li> </ul> <h2><strong>Technical Analysis</strong></h2> <p>Threat actors uploaded a malicious TGZ file on the ADC appliance, which consisted of setuid binary, generic webshell and discovery script for conducting an SMB scan on the ADC. Furthermore, AD enumeration and data exfiltration were performed with the webshell. Additional activities performed by the threat actors include,</p> <ul> <li>Viewing of NetScaler Configuration file (Contains encrypted passwords)</li> <li>Viewing NetScaler Decryption Keys (Used for decrypting extracted passwords from Config file)</li> <li>Conducting LDAP search via decrypted AD credentials and extracted data like Users, Computers, Groups, Subnets, Organisational Units, Contacts, Partitions, and Trusts </li> </ul> <div> <blockquote><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/Citrix?src=hash&amp;ref_src=twsrc%5Etfw">#Citrix</a> <a href="https://twitter.com/hashtag/Vulnerability?src=hash&amp;ref_src=twsrc%5Etfw">#Vulnerability</a><br><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f6a8.png" alt="🚨">We have developed a simple scan script for CVE-2023-3519. It looks for HTTP header "Last Modified" <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/23f2.png" alt="⏲">timestamps from known patched systems that we have collected as they are always the same. It may not work with reverse proxies or heavily modified pages. <a href="https://t.co/Jcvj7L2LSl">pic.twitter.com/Jcvj7L2LSl</a></p>— Deutsche Telekom CERT (@DTCERT) <a href="https://twitter.com/DTCERT/status/1682032701430452233?ref_src=twsrc%5Etfw">July 20, 2023</a></blockquote> </div> <div> <blockquote><p lang="en" dir="ltr">Now sharing info on likely CVE-2023-3519 vulnerable Citrix ADC/Gateway instances in our Vulnerable HTTP report: <a href="https://t.co/qxv0Gv6cAK">https://t.co/qxv0Gv6cAK</a><br><br>At least 11170 unique IPs found, most in the US (4.1K).<br><br>Make sure to patch: <a href="https://t.co/EHskF4kLdt">https://t.co/EHskF4kLdt</a><br><br>Dashboard stats: <a href="https://t.co/zbdpCDDaOF">https://t.co/zbdpCDDaOF</a> <a href="https://t.co/bJs1e32dIX">pic.twitter.com/bJs1e32dIX</a></p>— Shadowserver (@Shadowserver) <a href="https://twitter.com/Shadowserver/status/1682022404825182214?ref_src=twsrc%5Etfw">July 20, 2023</a></blockquote> </div> <p>Other queries by the threat actors were unsuccessful as the organization implemented a segmented environment for the ADC appliance. The exfiltration queries that failed are as follows</p> <ul> <li>Execution of subnet-wide curl command for scanning internal network as well as checking for potential lateral movement targets</li> <li>Outbound network connectivity with a ping command to google.com</li> <li>Subnet-wide host commands for DNS lookup </li> </ul> <p>Nevertheless, the threat actors also deleted the authorization config file <em>/etc/auth.conf</em> to prevent privileged users from logging in remotely. If an attempt by the organization was made to regain access to the server by rebooting into single user mode, it would delete the threat actors’ artifacts.</p> <p>CISA has released a <a href="https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf">complete report</a> about the MITRE ATT&amp;CK framework, detection methods, mitigation and prevention steps. It is recommended for organizations to follow them and mitigate these kinds of breaches by threat actors.</p> <p>The post <a href="https://cybersecuritynews.com/citrix-netscaler-hackers-webshells/">Hackers Exploiting Critical Citrix NetScaler Zero-day Flaw To Deploy Webshells</a> appeared first on <a href="https://cybersecuritynews.com">Cyber Security News</a>.</p>

I’ll leak the source code for the Cat website from an exposed git directory. I’ll use XSS to capture the admin user’s cookie, and then a SQL injection to get a webshell on the host and remote code execution. I’ll pivot to the next user by cracking a hash in the web application database. I’ll find the next user’s password in the Apache access logs. Finally, I’ll exploit a vulnerability in a private Gitea instance to get root.

Looking over some weblogs on my way back from class in Baltimore, I feel a reminder is appropriate that (a) weblogs are still a thing and (b) what some of the common webshells are that attackers are looking for.

CVE-2025-31324 lets attackers exploit SAP NetWeaver to upload webshells and deploy C2 tools like Brute Ratel, affecting patched enterprise systems.

NeoPI is a specialized tool designed to detect and remove webshells, which are malicious scripts or executables uploaded by attackers to maintain persistent access to compromised web servers. Webshells are a common post-exploitation tool, allowing attackers to execute commands, manipulate files, and move laterally within networks. NeoPI's ability to automate the detection and removal process is significant, as it reduces the window of opportunity for attackers and enhances the security posture of organizations. The tool likely employs sophisticated detection mechanisms such as signature-based detection, heuristic analysis, or machine learning to identify webshells. This automation is crucial for large-scale environments where manual detection can be time-consuming and error-prone. The introduction of tools like NeoPI can greatly improve incident response capabilities, enabling security teams to respond more quickly to incidents and reduce potential damage. However, it's important to note that no tool is perfect. Webshells can be highly obfuscated or customized to evade detection. Therefore, NeoPI should be part of a layered defense strategy that includes regular vulnerability assessments, intrusion detection systems, and robust logging and monitoring. For cybersecurity professionals, integrating tools like NeoPI into their security operations can significantly reduce the risk posed by webshells. Regular scans, combined with other security measures, can help identify compromises early, before they can be leveraged for more damaging attacks. Keeping the tool updated with the latest signatures and detection algorithms is crucial for maintaining its effectiveness. In conclusion, NeoPI represents a valuable addition to the cybersecurity toolkit, offering enhanced detection and removal capabilities for webshells. However, it should be used in conjunction with other security measures to ensure comprehensive protection against cyber threats.

A wave of targeted cyberattacks has exposed a previously unknown vulnerability in SAP NetWeaver, allowing attackers to deploy malicious JSP webshells and gain unauthorized access to enterprise systems, even those running the latest patches.

Ever so often, I see requests for files in .well-known recorded by our honeypots. As an example:

Commvault has disclosed IoCs linked to CVE-2025-3928, a vulnerability in its software. The issue, now part of CISA's KEV catalog, allows remote exploitation to execute webshells, potentially compromising systems. A previously exploited zero-day, this flaw impacts certain Commvault versions. The company is actively assisting affected clients and enhancing security measures.