Tuesday, July 16, 2024

Hackers Actively Exploiting Big-IP and Citrix Vulnerabilities

Experts issued security alerts concerning the ongoing exploitation of Big-IP (CVE-2023-46747, CVE-2023-46748) and Citrix (CVE-2023-4966) vulnerabilities.

The publicly available Proof of Concepts (POCs) for these vulnerabilities were rapidly circulated in cybercrime forums.

Over 20,000 “Netscaler” instances and 1,000 “Big IP” instances are available online.

These systems might be attractive targets for attackers and might be exposed to current security flaws, according to Cyble researchers.

Details of the BIG IP Vulnerabilities:

The vulnerability, identified as CVE-2023-46747, allows an attacker having network access to the BIG-IP system over the management port and/or self-IP addresses to execute arbitrary system instructions.

Undisclosed requests could bypass configuration utility authentication.

The next vulnerability is tracked as CVE-2023-46748 in the BIG-IP Configuration utility. It allows an authenticated attacker to execute arbitrary system commands if they have network access to the Configuration utility through the BIG-IP management port or self-IP addresses.

Top 5 Countries with the highest count of Internet-exposed BIG-IP Instances

F5 BIG-IP Virtual Edition is linked to CVE-2023-46747 and CVE-2023-46748. F5 has identified threat actors as using the CVE-2023-46747 vulnerability to launch attacks that take advantage of CVE-2023-46748.

Praetorian Labs security professionals found these vulnerabilities and made the information public on October 26, 2023.

They discovered an authentication bypass flaw that had the ability to result in a full compromise of F5 systems with an exposed Traffic Management User Interface (TMUI).

BIG-IP Versions Known to be Vulnerable:

  • 17.1.0
  • 16.1.0 – 16.1.4
  • 15.1.0 – 15.1.10
  • 14.1.0 – 14.1.5
  • 13.1.0 – 13.1.5
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


To mitigate this issue, you can run the script provided in the F5 advisory for BIG-IP versions 14.1.0 and later.

Citrix Vulnerability

With a critical CVSS score of 9.4, CVE-2023-4966 is categorized as a “sensitive information disclosure” vulnerability. Its elevated score for an information disclosure vulnerability makes it noteworthy.

Top 5 Countries with the highest count of Internet-exposed NetScaler Instances

Researchers at Assetnote examined and documented the exploitation of CVE-2023-4966.

Vulnerable Software Version(s)

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300


Customers of NetScaler ADC and NetScaler Gateway are strongly encouraged by Citrix to install the appropriate upgraded versions of these products as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-49.15  and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Since attackers are currently targeting the vulnerabilities, it is recommended that mitigations be applied as soon as possible.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.


Latest articles

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles