Citrix releases fix for software bug that hackers ‘will move quickly to exploit’

The bugs are in Citrix software that allows clients to remotely connect to corporate networks with their mobile phones.
citrix adc vulnerability
Citrix has released patches for the bugs in its mobile-networking software.

A newly revealed set of vulnerabilities in popular software made by Citrix, whose clients include Fortune 500 companies, could let hackers who exploit the bugs gain control of a mobile server and steal sensitive data.

The Florida-based company, which has dealt with multiple critical vulnerabilities this year, has released fixes for the new round of bugs and urged customers to apply them.

“While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” Citrix CISO Fermin J. Serna wrote in a blog post Tuesday.

The bugs are in a software product known as Citrix Endpoint Management or XenMobile, which allows clients to remotely connect to corporate networks with their mobile devices. Exploiting one of the bugs could let a hacker steal domain account credentials for a corporate network, according to Andrey Medov, a security researcher at Positive Technologies, which found the flaw during a security audit for a client. From there, an attacker could target other company resources like corporate mail and web applications.


The concern is that, given the access the vulnerabilities could give hackers, it is only a matter of time before they reverse-engineer the software patches and develop exploits. Hackers had a field day with a critical bug in a different Citrix software product, revealed in December. In one case, Chinese spies used the software flaw to target multiple critical infrastructure industries.

It took Citrix a month to release a patch for that vulnerability in an episode that highlighted how corporate security can depend on the behavior of powerful software vendors.

Citrix is trying to head off that kind of exploitation of the latest vulnerabilities. Karen Master, a Citrix spokeswoman, said the company had alerted customers to the vulnerabilities weeks ago and that a large portion of those customers have applied a patch. Master declined to say how many customers were affected by the vulnerabilities.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts