Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

RSAC™ 2025 Conference

May

CISO Strategy Virtual Meetings Seattle

May

May TRU Intelligence Briefing

May

Elevate IT Technology Summit Kansas City

May

Cybersecurity Summit Toronto

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

eSentire is aware of reports that the Citrix ShareFile StorageZones Controller vulnerability CVE-2023-24489 (CVSS: 9.8) is now under widespread exploitation by multiple threat actor groups. Organizations using Citrix ShareFile need to take immediate action to prevent abuse by threat actors.

CVE-2023-24489 is an improper resource control vulnerability. Exploitation would enable a remote and unauthenticated threat actor to achieve authenticated arbitrary file upload; this would allow for Remote Code Execution (RCE) and enable threat actors to exfiltrate sensitive data from the platform. The vulnerability was initially disclosed on June 13th, 2023, and Proof-of-Concept (PoC) exploit code has been publicly available since at least July 4th.

As exploitation of this vulnerability is now confirmed to be widespread, it is critical that organizations ensure security patches are deployed and review any potentially impacted devices for signs of compromise.

What we’re doing about it

IP addresses associated with real-world attacks are blocked via the eSentire Global Block List
Threat Hunts, based on IIS web access logs and known Indicators of Compromise(IOCs) , have been performed
- Any impacted organizations will be notified through the eSentire Security Operations Center (SOC)
The eSentire Threat Response Unit (TRU) is actively tracking this threat and reviewing publicly available Proof-of-Concept (PoC) exploit code for additional details and detection opportunities
eSentire Managed Vulnerability Service (MVS) will add relevant plugins when they become available

What you should do about it

After performing a business impact review, update ShareFile storage zones controller to version 5.11.24 or later
- Alternative mitigations are not currently available
- Organizations using ShareFile-managed storage zones in the cloud do not need to take any actions
If patching is not possible, organizations are recommended to limit access to the impacted products

Additional information

Citrix ShareFile StorageZones Controller is a managed file transfer SaaS cloud storage solution, meant to enable the secure upload and download of sensitive files. CVE-2023-24489 impacts all versions of customer-managed ShareFile storage zones controller before version 5.11.24.

Exploitation of this vulnerability would enable a variety of malicious actions; attackers may steal sensitive data or upload malicious content, such as webshells, to enable persistent access to victim environments. CVE-2023-24489 is similar to past vulnerabilities in Managed File Transfer (MTF) solutions, such as Accellion FTA and GoAnywhere. Vulnerabilities in MTF platforms have been heavily targeted in the past to enable data theft and extortion attacks. The eSentire Threat Intelligence team assesses that it is probable threat actors will exploit CVE-2023-24489 in order to run extortion campaigns.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-24489 to the CISA Known Exploited Vulnerability catalog on August 16th. US Federal Agencies have until September 6th, 2023, to ensure all impacted devices are updated. On the same day, the cyber intelligence company GreyNoise confirmed that they identified a “significant spike” in CVE-2023-24489 exploitation attempts.

The popularity of Citrix, combined with the publicly available PoC exploit code and the history of successful exploitation of similar vulnerabilities, makes CVE-2023-24489 highly attractive to financially motived threat actor groups. Widespread exploitation is ongoing and will continue until organizations have fully remediated the vulnerability.

References:

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-24489
[2] https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489
[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a#:~:text=Internet%2Dfacing%20MOVEit,in%20early%202023
[4] https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-exploited-vulnerability-catalog
[5] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[6] https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

Unlocking New Possibilities for Network Monitoring and Security with…

Sock(et) Puppet: How RansomHub Affiliates Pull the Strings

Phish & Chips: Serving Up Tycoon 2FA’s Secrets

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Maximum Severity SAP Vulnerability Exploited

CrushFTP Authentication Bypass