Citrix issues first of several patches for critical bug

With hackers exploiting a critical bug in its products, Citrix has expedited its timeline for patching.
(Citrix Solutions / Flickr / CC BY-ND 2.0 )

With hackers actively exploiting a critical vulnerability in its products, corporate virtual private network provider Citrix on Sunday issued the first of several patches for that flaw, and accelerated the timeline for releasing other fixes.

In a statement, Citrix chief information security officer Fermin J. Serna urged customers to apply the latest patches, and said that the company had increased staffing should customers need help installing the new software.

Experts say that successful exploitation of this bug could allow a hacker to burrow into the many Fortune 500 company networks that rely on the software, creating an opportunity for data theft. A flaw in VPN services, in particular, could result in the exposure of sensitive corporate information that victims incorrectly believe is protected behind an additional layer of security.

The Department of Homeland Security’s cybersecurity division on Monday advised Citrix customers to “upgrade their vulnerable appliances as soon as possible.”


The patches released Sunday cover certain versions of Citrix’s application delivery tool, as well as a product that allows remote access to the company’s apps. Citrix also will release patches for other versions of the affected products in the coming days, Serna said, including a fix for one of its Wide Area Network products that is also affected by the vulnerability.

The patches are welcome news for Citrix customers and the security professionals who support them. Cybersecurity analysts reported multiple cases of the vulnerability being exploited in the wild. In one case, an attacker was compromising a vulnerable Citrix product and planting its own code on the network, possibly as a backdoor for future use, according to security company FireEye.

The temporary mitigation measures that Citrix recommended while it prepared patches were not effective in some cases, according to the Netherlands’ national cybersecurity agency. That reportedly led some customers to switch off their affected Citrix gear, rather than apply the mitigation.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts