Hackers are racing to exploit a Citrix bug that the company hasn’t patched yet

A fix is on the way, the company says.
(Citrix Systems / Flickr / CC BY-ND 2.0)

Over the course of a week, the security implications have grown more dire for a critical vulnerability in two popular products made by Citrix, a corporate virtual private network service provider used at many Fortune 500 companies.

The flaw exists in a Citrix cloud-based application delivery tool, as well as in a product that allows remote access to the company’s applications. Experts say that successful exploitation of the bug could allow a hacker to burrow into the many enterprise networks that use the software. The result could be the exposure or theft of corporate information from Citrix clients who otherwise trust technology provided by the $2.5 billion company.

First, experts said that attackers would soon begin exploiting the flaw. Citrix then issued an advisory assuring that its recommended stop-gap security measures would help address the issue. But as researchers warned that hackers had begun exploiting the vulnerability, Citrix updated its advisory to say that, in certain scenarios, the company’s mitigation techniques would not work. The company then told customers to switch to a different software compilation to avoid the issue.

Late on Thursday night, cybersecurity company FireEye revealed another plot twist: an unknown hacker, or set of hackers, was exploiting the vulnerability in a Citrix product, cleaning up other malware on that network, and planting their own code, likely as a backdoor for future access.


Eight times per second, the attacker’s code scans for files that match other attempts to exploit the Citrix vulnerability, and then blocks them, according to FireEye.

“FireEye believes that this actor may be quietly collecting access to [these Citrix] devices for a subsequent campaign,” the company said in a blog post.

Citrix meanwhile is preparing full security fixes for the bug to be released later this month, the company said.

It’s the kind of attacker-on-attacker slugfest that fascinates security analysts.


In one case, FireEye analysts said they saw a single device with the vulnerability being hacked by multiple actors. But after the backdoor-planting attacker entered the fray on Jan. 12, that entity blocked over a dozen other exploitation attempts of the vulnerability.

It’s unclear what the vigilante attacker’s end game is, but FireEye analysts don’t believe it’s benevolent.

“While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows,” said FireEye’s William Ballenthin and Josh Madeley.

In an emailed statement, Citrix CISO Fermin J. Serna said that “despite a few reports to the contrary, these mitigations do work and are effective in thwarting attacks if all steps are followed.”

“We are encouraging our customers to immediately apply the mitigations and patches as soon as they become available and appreciate FireEye’s support in underscoring the importance of doing so,” Serna said, adding that the company has coordinated closely with its customers on the issue.


As Citrix was updating its security advisory, the Netherlands’ National Cybersecurity Centre was being explicit about what it said were the shortcomings of the security mitigations.

“The NCSC emphasizes that there is currently no good, guaranteed reliable solution for all versions of Citrix ADC and Citrix Gateway servers,” the Dutch agency said Thursday.

“Depending on the impact, the NCSC recommends considering switching off the Citrix ADC and Gateway servers,” the agency said.

Dave Kennedy, founder of cybersecurity company TrustedSec, said he knows Citrix clients who are doing just that.

“I’m in contact with a lot of Citrix customers and many have completely shut them down because they lack confidence in the mitigating controls,” Kennedy told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts