Experts urge organizations to address festering critical Citrix flaw

“We have a working exploit, and it took us under a day to develop it,” one security expert told CyberScoop.
citrix adc vulnerability
Citrix has released patches for the bugs in its mobile-networking software.

It’s been more than two weeks since researchers went public with a critical vulnerability in products made by corporate VPN service provider Citrix that could give a hacker free rein over the many enterprise networks that use the software.

Now, with a complete patch for the vulnerability still unavailable, cybersecurity experts are exhorting organizations to address the issue.

“It’s extremely important to apply the mitigation steps and recognize that there is no patch for this,” said Dave Kennedy, founder of cybersecurity company TrustedSec, adding that he has already seen attackers scanning for vulnerable systems.

“We have a working exploit, and it took us under a day to develop it,” Kennedy told CyberScoop. “Attackers have the same capabilities.”


The flaw, discovered by cybersecurity company Positive Technologies, is in a Citrix cloud-based application delivery tool, as well as a product that allows remote access to the company’s applications. Based on the popularity of the software tools, Positive Technologies claimed that the vulnerability could affect tens of thousands of companies. CyberScoop has requested an estimate of the number of devices affected from Citrix.

“Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk,” Rob Joyce, a senior official at the National Security Agency, said in a tweet urging users to patch the vulnerability.

The challenge is there isn’t a full-fledged patch for the flaw, only a stop-gap measure, known as a “workaround,” that Citrix provided last month. The company has said it will release a firmware update to fully address the issue.

On Saturday, a day after this story was published, Citrix announced that it was still working on permanent patches for the product versions affected by the vulnerability, and that those would be rolled out over the next three weeks. “These fixes need to be comprehensive and thoroughly tested,” Citrix CISO Fermin J. Serna wrote in a blog post, explaining why the patches weren’t ready.


Serna contended that “a limited number of devices are exploitable” because “many deployments are behind the firewall.”

But Kennedy and other security experts strongly disputed the notion that only a small number of devices could be exploited.

Kennedy said that a patch from Citrix could address the full suite of security implications of the vulnerability — rather than just the directory traversal that the workaround addresses.

Meanwhile, researchers like Kennedy have quietly built exploits for the Citrix vulnerability in order to bolster defenses, much like they did for the critical BlueKeep vulnerability in old Windows operating systems that emerged last May.


Security company MDSec on Friday released its own study of the Citrix vulnerability and how it might be exploited.

“Due to the number of devices impacted, MDSec have decided to not provide a ready-made exploit for this vulnerability,” wrote Rio Sherri, a security consultant at the company.

“However, we are aware of multiple actors who have now weaponized this vulnerability and felt it important to share this research so others can take appropriate action,” Sherri added.

UPDATE, 01/13/20, 9:38 a.m. EDT: This story has been updated with a statement from Citrix. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts