Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Citrix informed customers earlier this week that it has patched a total of 11 vulnerabilities affecting its ADC, Gateway, and SD-WAN WANOP networking products. The flaws can be exploited for local privilege escalation, DoS attacks, authorization bypass, code injection, and XSS attacks.

While some of the vulnerabilities can be exploited remotely without authentication, the vendor highlighted that many of them require access to the targeted system, user interaction, or other preconditions, and also pointed out that the latest issues are not related to CVE-2019-19781, a vulnerability that various threat groups have been exploiting since January.

In addition to its advisory, Citrix published a blog post written by its CISO, Fermin J. Serna, to “avoid confusion and limit the potential for misinterpretation in the industry and our customer set.” Serna downplayed the impact of the flaws, suggesting that they are less likely to be exploited compared to CVE-2019-19781.

He also noted that the latest issues are fully addressed by the patches, unlike CVE-2019-19781, for which the company initially released only temporary mitigations due to the high risk of exploitation.

However, Johannes Ullrich, dean of research at the SANS Technology Institute, reported on Thursday that a honeypot set up to capture attacks aimed at F5 Networks’ BIG-IP systems recorded attempts to exploit two of the recent Citrix vulnerabilities.

Ullrich says their honeypot has been hit by attempts to download files and obtain information, which are likely part of scans looking for vulnerable Citrix systems.

The expert said it was unclear which of the 11 CVEs are targeted, but he believes the most likely candidates are CVE-2020-8195 and CVE-2020-8196. Both security holes have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.

CVE-2020-8195 and CVE-2020-8196, along with three other of the 11 vulnerabilities patched by Citrix this week, were reported to the vendor by researcher Donny Maasland, who has published a blog post describing his findings in detail.

While Citrix said it was not disclosing any technical information to prevent exploitation, Maasland disagrees with this approach and he noted that his research targeted the NSIP, which should not be exposed to the internet.

“I firmly believe that when you don’t provide technical details about vulnerabilities you are preventing defensive teams from creating proper detection and mitigation measures against security issues as well as preventing new security analysts and developers from learning from past mistakes. If other people hadn’t created write-ups of the vulnerabilities they found, I wouldn’t have been able to find these results you see here today,” the researcher said.

“Furthermore, you will see that everything I’m disclosing here isn’t exactly rocket science. I’m even willing to bet most of these vulnerabilities have been known to other people for a while now,” he added.

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

Related: Organizations Quick to Patch Critical Citrix ADC Vulnerability

Related: Citrix Releases More Patches for Exploited Flaw, Tool to Detect Compromise

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.