Critical flaw in Citrix applications could allow unauthorized access to internal networks

A critical vulnerability has been discovered in Citrix’s Application Delivery Controller (ADC) and Gateway products that could give attackers unauthorized access to enterprise networks as well as the ability to run code on them.

Security company Positive Technologies, which first discovered the flaw, says the vulnerability spans several years’ worth of Citrix technology. It estimates that “at least 80,000 companies in 158 countries are potentially at risk.”

Citrix’s ADC is a cloud-based application delivery and load balancing tool, while Gateway allows remote access to a company’s applications. The vulnerability affects Citrix ADC and Citrix Gateway 13.0, 12.1, 12.0, 11.1, and 10.5.

“Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat,” Dmitry Serebryannikov, director of the security audit department for Framingham, Massachusetts-based Positive Technologies, said in a blog post.

Citrix released a security bulletin on Dec. 17 addressing the issue, pushing customers to follow Citrix’s stopgap mitigation, which blocks certain SSL VPN requests. The company says it will be pushing a firmware update for the appliance to fully fix the issue, though there is no date for when that will be issued.

Positive Technologies also writes that using a web application firewall could help fend off potential attacks.

The vulnerability can be tracked by following CVE-2019-19781.