Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Citrix ShareFile Storage Zones Controller unauthenticated file upload and RCE

IdentifiersCVE-2023-24489CWE-434

CVE-2023-24489 is a critical vulnerability in customer-managed Citrix ShareFile Storage Zones Controller, affecting supported versions prior to 5.11.24. The flaw is in the Documentum Connector upload workflow, particularly upload.aspx and the underlying file handling path. According to the provided content, the application may continue processing requests without enforcing authentication when the expected session cookie is absent. In addition, an AES-CBC/PKCS#7-based encrypted parameter check can be bypassed by supplying ciphertext that decrypts to data with valid padding. The upload flow also fails to properly sanitize the uploadId parameter before using it in file path construction, enabling path traversal during file upload. Together, these issues allow an unauthenticated remote attacker to upload an arbitrary file, including a malicious ASPX web shell, to a server-controlled path and then execute it via HTTP, resulting in remote compromise of the ShareFile Storage Zones Controller.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to full remote compromise of the customer-managed ShareFile Storage Zones Controller by an unauthenticated attacker. The attacker can upload arbitrary files to the IIS-hosted application, place a web shell or other malicious payload in a reachable location, and execute code remotely. The advisory states the impact is high across confidentiality, integrity, and availability. In practical terms, this can expose files and sensitive data handled by ShareFile, enable persistent access, support follow-on lateral movement, and allow service disruption or destructive actions on the affected server.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of customer-managed ShareFile Storage Zones Controller to untrusted networks, restrict access to the affected web application and Documentum upload endpoints where feasible, and monitor for suspicious POST requests to /documentum/upload.aspx containing parameters such as parentid, filename, uploadId, unzip, and raw. On Windows IIS hosts, monitor for web-shell-like behavior such as w3wp.exe spawning cmd.exe, powershell.exe, certutil.exe, wmic.exe, or similar child processes. Review the web root and application directories for unauthorized uploaded ASPX files and remove any malicious artifacts. These are temporary risk-reduction measures and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Upgrade customer-managed Citrix ShareFile Storage Zones Controller to version 5.11.24 or later, as recommended by Citrix. Apply the vendor security update referenced in Citrix Advisory #2023-71 / CTX559517. Customers using ShareFile-managed storage zones in Citrix cloud are stated to require no action for this issue.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2023-24489-ShareFileMaturityPoCVerified exploit

This repository contains a Python exploit script (cve.py) targeting Citrix ShareFile's remote code execution vulnerability (CVE-2023-24489). The exploit works by abusing the /documentum/upload.aspx endpoint to upload a crafted ASPX webshell, which then allows arbitrary command execution on the target server. The script supports both Windows and Linux targets, generating the appropriate payload for each. It can be run in two modes: direct exploitation of a single target (--host) or mass checking a list of potential targets (--mass-check). The script is operational and provides command execution capabilities, returning the output to the attacker. The main fingerprintable endpoints are /documentum/upload.aspx (for exploitation) and /cifs/real.aspx (for retrieving command output). The repository is structured simply, with the main exploit logic in cve.py, and includes a README with usage instructions and references.

adhikara13Disclosed Jul 12, 2023pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Citrix SystemsSharefile Storage Zones Controllerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
splunk researchNews
Feb 25, 2026
Detection: Citrix ShareFile Exploitation CVE-2023-24489 | Splunk Security Content

A remote code execution vulnerability in Citrix ShareFile associated with malicious file upload attempts via suspicious upload.aspx URL patterns.

Read more
splunk researchNews
Feb 25, 2026
Detection: Windows Suspicious Child Process Spawned From WebServer | Splunk Security Content

A remote code execution vulnerability in Citrix ShareFile referenced as an associated analytic story.

Read more
optiv blogNews
Sep 20, 2023
Critical Vulnerabilities Affecting Prioritized Software and Services in August 2023

A critical vulnerability in Citrix ShareFile storage zones controller allowing unauthenticated remote attackers to upload arbitrary files or execute code. Exploited in the wild with public PoC available.

Read more
splunk researchNews
Jul 26, 2023
Analytics Story: Citrix ShareFile RCE CVE-2023-24489 | Splunk Security Content

A critical remote code execution vulnerability in Citrix ShareFile Storage Zones Controller that allows unauthenticated arbitrary file upload and RCE via a cryptographic check bypass and path traversal in the Documentum Connector upload functionality.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-24489
NVD
nvd.nist.gov/vuln/detail/CVE-2023-24489
MITRE CWE · CWE-434
cwe.mitre.org
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-24489