Show vulnerabilities with patch / with exploit
13 July 2020

Hackers are attempting to exploit recent Citrix vulnerabilities


Hackers are attempting to exploit recent Citrix vulnerabilities

Threat actors are actively scanning the web in search of systems impacted by the recently disclosed Citrix vulnerabilities.

Last week, Citrix released security updates to address a set of 11 vulnerabilities affecting its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products. One of the flaws (CVE-2020-8194) could be exploited for remote code execution, while others could result in information disclosure or could allow a remote user to escalate privileges on the system.

While some of the patched flaws can be exploited remotely without authentication, Citrix CISO, Fermin J. Serna explained in a blog post that many of them have “barriers to exploitation” such as requiring the attackers have access to the targeted system, user interaction, and other preconditions. Serna also pointed out that for this reason the flaws are less likely to be exploited compared to CVE-2019-19781, a vulnerability that various hacker groups have been actively exploiting since the start of this year.

However, Johannes Ullrich, the head of research at the SANS Technology Institute said he detected attacks on one of the honeypots set up to capture attacks attempting to exploit the recently disclosed flaw in the F5 Networks’ BIG-IP systems was targeted by attackers attempting to exploit two of the recent Citrix vulnerabilities.

“As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week. Details with proof of concept code snippets were released yesterday,” the researcher said.

“It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-81960.”

Both vulnerabilities have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.

“The vulnerability isn't all that "bad." It is not allowing access to anything else. But it could very well be used to identify unpatched devices,” Ullrich pointed out.

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020