Skip to main content

Citrix vulnerability allowed criminals to hack 80,000 companies

(Image credit: Image source: Shutterstock/Sergey Nivens)

Researchers have found a vulnerability in popular enterprise software offerings from Citrix which puts tens of thousands of companies at risk of cyberattack.

Mikhail Klyuchnikov, cybersecurity expert at Positive Technologies, says he uncovered a critical vulnerability in Citrix (opens in new tab) Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), which allows direct access to a company network from the internet.

No accounts necessary, anyone can do it.

According to Positive Technologies’ report on the flaw, around 80,000 companies in 158 countries around the world could be at risk. Most companies are located in the US, with the UK, Germany, the Netherlands and Australia sharing a significant portion.

The discovered vulnerability was assigned identifier CVE-2019-19781 and even though the CVSS severity level has not yet been determined, Positive Technologies expect the highest level, 10, to be given. This vulnerability affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.

The attacker could access published applications and attack other resources directly from the Citrix server. Citrix released a set of measures (opens in new tab), saying it’s paramount that all vulnerable versions get updated immediately.

"Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat," says Dmitry Serebryannikov, Director of Security Audit Department, Positive Technologies.

Serebryannikov praised Citrix’s fast response to the matter: "On a separate note, we want to point out that the vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months."

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.