A critical flaw has been discovered in two Citrix products, placing 80,000 companies in 158 countries at risk. 

The easily exploitable vulnerability could allow attackers to obtain direct access to a company’s local network and to access a company’s credentials. 

It could also be used to launch denial of service and phishing attacks and to implant malware that could lead to cryptocurrency mining. 

Positive Technologies expert Mikhail Klyuchnikov found the vulnerability in Citrix Application Delivery Controller (formerly known as NetScaler ADC) and in Citrix Gateway (formerly known as NetScaler Gateway).

This vulnerability affects all supported versions of the products, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.

What makes the weakness especially dangerous is that it can be used to launch an attack that does not require access to any accounts, meaning it can be mounted by any external attacker.

Depending on the specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. 

This newly unearthed vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server. 

Citrix is notifying customers and channel partners about this potential security issue, for which a fix is still forthcoming. 

The company has urged customers to upgrade all of their vulnerable appliances to a fixed version of the appliance firmware as soon as it is released. It has also set up an alert stystem, which customers can subscribe to so that they will learn as quickly as possible when a fix has been found.

Dmitry Serebryannikov, director of the security audit department at Positive Technologies, said: “Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. 

Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.