25,000 Citrix Gateway Endpoints Now Vulnerable

Citrix has released an advisory for CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway that could allow an unauthenticated attacker to execute code on the affected devices. Users are encouraged to apply the provided mitigation steps as quickly as possible. A patch is estimated to be available January 31st, 2020.

While Citrix advised customers via the security bulletin in December, and priority and TRM customers also received proactive notification, using tools that scan the internet, Citrix has seen IP addresses that do not have the mitigation installed. Currently, over 25,000 Citrix endpoints are vulnerable to attacks targeting this flaw, with almost 1,000 found in the U.S. and thousands more in Germany, United Kingdom, Switzerland, and Australia. As such, Citrix has begun contacting certain customers via email recently, advising them to install the mitigation.

We have started to experience this vulnerability be exploited to push malware/ransomware into customer environments. 

What should you do?

If you haven’t already, it’s important that you apply the Citrix mitigation steps straight away. CISA’s test tool is an extremely useful way of finding out whether you are at risk. In the event you have been compromised and are looking for incident response assistance, please contact us below.

Resources - 

Backgroundhttps://support.citrix.com/article/CTX267027

Citrix mitigation - https://support.citrix.com/article/CTX267679

Testing and validation tool - https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability