Skip to main content

Many businesses still haven't patched Citrix flaw

(Image credit: Shutterstock)

Despite the fact that Positive Technologies released an overview of a critical vulnerability in Citrix software that put 80,000 companies in 158 countries at risk, one out of every five companies have yet to take action to patch the flaw a month and a half after its disclosure.

The firm's Mikhail Klyuchnikov first discovered critical vulnerability CVE-2019-19781 in the Citrix Application Delivery Controller and Citrix Gateway in December of last year. At the end of 2019, the highest number of potentially vulnerable organizations are in the US as well as in Germany, Great Britain, the Netherlands and Australia according to Positive Technologies data.

In January of this year, an exploit was released that allows a potential attacker to carry out automatic attacks against any company that failed to fix the vulnerability.

Director of Positive Technologies' Expert Security Center, Alexei Novikov explained that organizations must patch their software immediately to avoid falling victim to the exploit in a press release, saying:

“The Citrix developers planned to resolve the issue on January 27 through January 31, but released a series of patches for various product versions a week before that. The necessary update must be installed as soon as possible. Until then, follow the security recommendations by Citrix, available since the information about the vulnerability was released.”

Time to patch

For the most part, this Citrix vulnerability is being fixed quickly though 19 percent of companies are still at risk.

The countries with the greatest number of vulnerable companies currently include Brazil (43%), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%) according to Positive Technologies. Organizations in the US, Great Britain and Australia are protecting themselves at a faster pace but they each have 21 percent of companies that are still using vulnerable devices without any protection measures.

If the vulnerability is left unpatched and exploited, an attacker could obtain direct access to a company's local network over the internet. As this attack doesn't require access to employee or admin accounts, it can be performed by any external attacker.

In addition to patching affected Citrix software, Positive Technologies recommends that businesses use application firewalls to fend off any potential attacks.