Many Businesses Have Not Yet Patched The Citrix Flaw

One in five businesses has not yet patched this critical vulnerability.

Even though Positive Technologies disclosed a critical vulnerability in Citrix software that put 80,000 businesses in 158 countries at risk, one in five businesses have yet to patch the flaw a month and a half after its disclosure.

In December of last year, Mikhail Klyuchnikov of the company discovered the critical vulnerability CVE-2019-19781 in the Citrix Application Delivery Controller and Citrix Gateway. According to data from Positive Technologies, the United States, Germany, the United Kingdom, the Netherlands, and Australia have the highest number of potentially vulnerable organizations as of the end of 2019.

In January of this year, an exploit was made available that enables a potential attacker to launch automated attacks against any organization that has not patched the vulnerability.

• Cybercriminals steal 6TB of Citrix data.
• Microsoft Office on virtual desktops is improving.
• Additionally, view the top patch management software of 2020.
• Alexei Novikov, director of Positive Technologies’ Expert Security Center, stated in a press release (opens in new tab) that organizations must immediately patch their software to avoid falling victim to the exploit.

“The Citrix developers had planned to resolve the issue between January 27 and January 31, but they released a series of patches for different product versions a week earlier.” The required update must be installed without delay. Follow Citrix’s security recommendations until then, which have been available since the vulnerability’s disclosure.”

Time to patch

19% of businesses are still at risk, even though this Citrix vulnerability is being patched expeditiously.

Positive Technologies reports that Brazil (43%), China (39%), Russia (35%), France (34%), Italy (33%), and Spain (25%) have the highest proportion of vulnerable businesses. The United States, the United Kingdom, and Australia are protecting themselves at a faster rate, but 21 percent of businesses in each country continue to use vulnerable devices without any security measures.

If the vulnerability remains unpatched and is exploited, an attacker could gain internet-based direct access to a company’s local network. As this attack does not require access to employee or administrator accounts, any external attacker can perform it.

In addition to applying patches to vulnerable Citrix software, Positive Technologies advises businesses to employ application firewalls to protect against potential attacks.