A newly discovered vulnerability in Citrix Systems Inc. software platforms exposes networks using the software to potential unauthorized access and hacking.

Discovered and published today by security researchers at Positive Technologies, the vulnerability relates to both the Citrix Application Delivery Controller and the Citrix Gateway.

CVE-2019-19781, as it’s officially known, has been ranked a 10. That’s the highest level possible for a vulnerability and affects all supported versions of Citrix platforms. Those include Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and Citrix NetScaler ADC and NetScaler Gateway 10.5.

Newly discovered vulnerabilities are a dime a dozen in software, but where the Citrix flaw stands out is that it’s said to be easy to exploit and does not require authentication. The vulnerability opens the door to arbitrary code execution by hackers that subsequently allows them to do as they please on a targeted system.

“Citrix applications are widely used in corporate networks,” explained Dmitry Serebryannikov, director of the security audit department at Positive Technologies. “This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”

The numbers of exposed systems is high given the popularity of Citrix among banking and financial institutions. At least 80,000 companies in 158 countries are potentially at risk due to the vulnerability with companies in the U.S. leading the pack followed by companies in the U.K., Germany, the Netherlands and Australia.

Citrix has confirmed the vulnerability but has yet to release new firmware to deal with it. Instead, the company is offering a number of mitigation measures to help address the issue. Suggested mitigation includes a range of commands that deny access to any potential hacker attempting to exploit the vulnerability.

Serebryannikov praised the response from Citrix. “The vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered,” he said. “From our experience, we know that in many cases it can take months.”

In an interview with SiliconANGLE’s theCUBE at Amazon Web Services Inc.’s re:Invent conference in Las Vegas early this month, Marissa Schmidt, senior director of product management at Citrix Systems, explained how the company has an ongoing focus on security for its users:

Photo: Citrix/Flickr