CVE-2023-24489

CRITICAL KEV RANSOMWARE NUCLEI

Citrix ShareFile Storage Zones Controller - Unauthenticated Remote Compromise

Title source: manual

Exploitation Summary

CVE-2023-24489 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 16, 2023, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including adhikara13, whalebone7. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-24489, a remote code execution vulnerability in Citrix ShareFile. The exploit leverages a padding oracle attack to bypass authentication and upload a malicious ASPX file, achieving arbitrary command execution.

Description

A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.

Exploits (2)

nomisec WORKING POC 13 stars

by adhikara13 · remote

https://github.com/adhikara13/CVE-2023-24489-ShareFile

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-24489, a remote code execution vulnerability in Citrix ShareFile. The exploit leverages a padding oracle attack to bypass authentication and upload a malicious ASPX file, achieving arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Citrix ShareFile

No auth needed

Prerequisites: Network access to the target ShareFile instance · Python environment with 'requests' library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by whalebone7 · remote

https://github.com/whalebone7/CVE-2023-24489-poc

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2023-24489, a remote code execution vulnerability in Citrix ShareFile. The script uploads a malicious ASPX file via a path traversal vulnerability and checks for successful execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Citrix ShareFile

No auth needed

Prerequisites: List of target URLs in target.txt · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Citrix ShareFile StorageZones Controller - Unauthenticated Remote Code Execution

CRITICALVERIFIEDby DhiyaneshDK,dwisiswant0

Shodan: title:"ShareFile Storage Server" || http.title:"sharefile storage server"

FOFA: title="sharefile storage server"

References (2)

Core 2

Core References

Broken Link, Vendor Advisory

https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-24489

Scores

CVSS v3 9.8

EPSS 0.9439

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-08-16

VulnCheck KEV 2023-07-26

InTheWild.io 2023-08-16

ENISA EUVD EUVD-2023-28507

Ransomware Use Confirmed

CWE

CWE-284

Status published

Products (1)

citrix/sharefile_storage_zones_controller < 5.11.24

Published Jul 10, 2023

KEV Added Aug 16, 2023

Tracked Since Feb 18, 2026