Threat Research

Active Exploitation Of Big-IP And Citrix Vulnerabilities Observed By Cyble Global Sensor Intelligence Network – Cyble

Securonix

Cyble Global Sensor Intelligence (CGSI) reports ongoing exploitation of newly disclosed Citrix CVE-2023-4966 and F5 BIG-IP CVEs 2023-46747/46748, with PoCs circulating in cybercrime forums and thousands of internet-facing vulnerable devices identified. The report details active exploitation, scanning activity, and recommended mitigations, highlighting how attackers gain admin access and run commands via exposed management interfaces.
#CVE-2023-4966 #CVE-2023-46747 #CVE-2023-46748 #BIG-IP #NetScaler #Citrix #PraetorianLabs #CGSI #CISA

Keypoints

  • Cyble CGSI observes active exploitation of CVE-2023-4966 (Citrix) and CVE-2023-46747/46748 (BIG-IP) after CISA alerts.
  • Public PoCs circulated in cybercrime forums preceded rapid exploitation; CGSI captures exploitation attempts.
  • Online scanners show thousands of exposed assets: more than 1,000 BIG-IP instances and over 20,000 NetScaler instances online.
  • Geographic exposure analysis highlights top countries with the highest counts of internet-facing BIG-IP and NetScaler devices.
  • Technical details reveal an authentication bypass on BIG-IP and administrative user creation via manipulated AJP requests and the mgmt API, including a curl-based command execution example.
  • Vulnerable software versions and vendor mitigations are documented; recommendations include patching, monitoring, and network segmentation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – ‘Within days of the proof of concept being made public, both vulnerabilities were actively exploited, which led to the capture of exploitation attempts via CGSI sensors.’
  • [T1046] Network Service Scanning – ‘BIG-IP Scanning Attempts Captured By CGSI’ and hundreds/thousands of exposed assets identified by online scanners.
  • [T1136] Create Account – ‘to create a new administrator user using the provided credentials.’
  • [T1078] Valid Accounts – ‘authenticate with the F5 system through the standard authentication process and subsequently execute arbitrary commands via the mgmt API.’
  • [T1059.004] Unix Shell – ‘curl -sk -u USER:PASS -H Content-Type: application/json -X POST -d {“command”: “run”, “utilCmdArgs”: “-c whoami”} https://$IP:8443/mgmt/tm/util/bash’

Indicators of Compromise

  • [IP] F5 BIG-IP Configuration Utility SQL Injection Vulnerability – 146.70.45.222, 146.70.45.213, and 4 more IPs
  • [IP] F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability – 67.213.219.219, 92.119.179.87, and 1 more IP
  • [IP] Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability – 141.164.35.138

Read more: https://cyble.com/blog/active-exploitation-of-big-ip-and-citrix-vulnerabilities-observed-by-cyble-global-sensor-intelligence-network/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint