Citrix ShareFile Remote Code Execution Vulnerability

A remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server.

The adversary exploited the vulnerability to deploy a webshell that enabled the downloading of additional tools. This incident highlights how PROPHET SPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.

In September 2021, Citrix disclosed a relative path-traversal vulnerability in ShareFile Zones Storage Controller, designated CVE-2021-22941. Shortly thereafter, security researchers demonstrated a proof-of-concept (POC) exploit for the CVE. Based on the known technical details, others were able to reproduce fully weaponized exploits for CVE-2021-22941 that have proliferated since mid-October 2021. The vulnerability allows an adversary to overwrite an existing file on a target server via an uploadid parameter passed in an HTTP GET request.

5 views0 comments

Recent Posts

See All

During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. These files are not malicious, but they are used by the Vidar malw