Almost 6,000 unpatched Citrix NetScaler servers remain vulnerable to critical security flaw

A total of 5,915 Citrix servers remain unpatched against CVE-2019-19781, with 388 located in the UK

Almost 6,000 Citrix NetScaler servers remain unpatched against critical security flaw CVE-2019-19781 almost one month after Citrix belatedly released fixes.

A total of 5,915 systems worldwide remain unsecured, with 40 per cent of the total - 2,660 - located in the US. In the UK, the number stands at 388, down from 470 identified at the end of January.

That's according to scans performed by security intelligence firm Bad Packets, which indicate that companies are only slowly patching their installations, despite warnings that the security flaw could compromise entire corporate network infrastructures.

https://twitter.com/bad\\_packets/status/1228572381737713664?ref\\_src=twsrc%5Etfw

According to security specialists, CVE-2019-19781 if exploited, could enable an unauthenticated attacker to remotely access private network resources and execute arbitrary code. In effect, it represents an open door to the corporate network for attackers. Indeed, earlier in the new year before Citrix finally issued patches, security researchers noted a surge in scans for vulnerable Citrix servers.

"This attack does not require access to any accounts, and therefore can be performed by any external attacker," said Mikhail Klyuchnikov, a researcher at Positive Technologies.

"This vulnerability allows any unauthorised attacker to not only access published applications, but also attack other resources on the company's internal network from the Citrix server."

While so far, researchers have observed no exploitation of CVE-2019-19781, they have warned that attackers may have taken advantage of the security flaw to leave behind malware that they can exploit later.

This vulnerability allows any unauthorised attacker to not only access published applications, but also attack other resources on the company's internal network

The vulnerability affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The bug was uncovered by Klyuchnikov in December and was reported to Citrix in the same month. Citrix was criticised for promoting mitigations, which scarcely mitigated the issue, rather than rushing out patches.

Indeed, the first patches were only released on 19^th January, with the final patches issued on 24^th January.

Bad Packets previously performed such scans at the end of January, just after Citrix released the last of its series of patches. Then, a total of 7,133 vulnerable Citrix servers worldwide were discoverable, with the US hosting 3,285 installations and the UK 474.

The results of the two scans by Bad Packets indicate that despite the grave security risk posed by CVE-2019-19781 many organisations have been slow to apply the patches.