Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Citrix informed customers earlier this week that it has patched a total of 11 vulnerabilities affecting its ADC, Gateway, and SD-WAN WANOP networking products. The flaws can be exploited for local privilege escalation, DoS attacks, authorization bypass, code injection, and XSS attacks.

While some of the vulnerabilities can be exploited remotely without authentication, the vendor highlighted that many of them require access to the targeted system, user interaction, or other preconditions, and also pointed out that the latest issues are not related to CVE-2019-19781, a vulnerability that various threat groups have been exploiting since January.

In addition to its advisory, Citrix published a blog post written by its CISO, Fermin J. Serna, to “avoid confusion and limit the potential for misinterpretation in the industry and our customer set.” Serna downplayed the impact of the flaws, suggesting that they are less likely to be exploited compared to CVE-2019-19781.

He also noted that the latest issues are fully addressed by the patches, unlike CVE-2019-19781, for which the company initially released only temporary mitigations due to the high risk of exploitation.

However, Johannes Ullrich, dean of research at the SANS Technology Institute, reported on Thursday that a honeypot set up to capture attacks aimed at F5 Networks’ BIG-IP systems recorded attempts to exploit two of the recent Citrix vulnerabilities.

Ullrich says their honeypot has been hit by attempts to download files and obtain information, which are likely part of scans looking for vulnerable Citrix systems.

The expert said it was unclear which of the 11 CVEs are targeted, but he believes the most likely candidates are CVE-2020-8195 and CVE-2020-8196. Both security holes have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.

CVE-2020-8195 and CVE-2020-8196, along with three other of the 11 vulnerabilities patched by Citrix this week, were reported to the vendor by researcher Donny Maasland, who has published a blog post describing his findings in detail.

While Citrix said it was not disclosing any technical information to prevent exploitation, Maasland disagrees with this approach and he noted that his research targeted the NSIP, which should not be exposed to the internet.

“I firmly believe that when you don’t provide technical details about vulnerabilities you are preventing defensive teams from creating proper detection and mitigation measures against security issues as well as preventing new security analysts and developers from learning from past mistakes. If other people hadn’t created write-ups of the vulnerabilities they found, I wouldn’t have been able to find these results you see here today,” the researcher said.

“Furthermore, you will see that everything I’m disclosing here isn’t exactly rocket science. I’m even willing to bet most of these vulnerabilities have been known to other people for a while now,” he added.

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

Related: Organizations Quick to Patch Critical Citrix ADC Vulnerability

Related: Citrix Releases More Patches for Exploited Flaw, Tool to Detect Compromise

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.