CVE-2023-3519 Exploited: Credential Harvesting Campaign Targets Citrix Netscaler Gateways - Active IOCs - #CVE-2023-3519
Cybercriminals are conducting a large-scale credential harvesting campaign by exploiting an unpatched critical Citrix NetScaler Gateways vulnerability to insert malicious scripts into HTML authentication web pages and capture user credentials. The campaign began in August 2023, with over 2,000 Citrix servers compromised by mid-August, and over 600 unique victim IP addresses identified in September, primarily in the U.S. and Europe. Threat actors registered several domains and referenced remote JavaScript files hosted on their infrastructure to collect form data and transmit stolen credentials to attacker-controlled servers. IBM and CISA have released warnings and mitigation advice in response to the active exploitation of this vulnerability, though the campaign has not yet been attributed to any specific group.