Hackers are actively targeting a critical flaw in software from Citrix Systems Inc. first uncovered last month, and users are being warned that even if they patch now, their systems may still be compromised.

Formally known as CVE-2019-19781, the flaw exposes networks using the Citrix Application Delivery Controller and Gateway products to unauthorized access and hacking.

Citrix released a permanent final fix for all products affected by vulnerability on Friday after releasing a number of product-specific patches previously. It’s encouraging all Citrix users to install the fixes as soon as possible.

Although the patches’ availability for all affected products is a positive, they could prove too late for some who may have had their systems already compromised and don’t realize it.

Various cases have now been detected of hackers installing cryptomining malware and ransomware, in particular, Ragnarok. But in some cases, it was also discovered that hackers had installed back doors in infected systems, giving them access to targets in the future even when the patch has been applied.

“I fully expect that in coming months we will learn about several more organizations who were hacked last week but currently don’t realize this,” Craig Young, computer security researcher for Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “Attackers may spend weeks to months spreading out over a network before crippling it with ransomware, draining bank accounts through wire transfer fraud, or selling off stolen data in bulk.”

Despite the ongoing risks, Citrix users should absolutely install the patches if they haven’t done so already, since hackers are actively scanning Citrix installations for targets.

Mass scanning activity detected from 179.43.149.12 (🇨🇭) checking for Citrix (NetScaler) servers vulnerable to CVE-2019-19781 (https://t.co/Ba1muwe7ny).#threatintel pic.twitter.com/OSROjdOaAC

— Bad Packets Report (@bad_packets) January 24, 2020

Exactly how many Citrix installs remain unpatched is not entirely clear, although Bleeping Computer reported Sunday that the GDI Foundation found 98,000 vulnerable Citrix endpoints exposed online.

Citrix users who are unsure are if they are compromised are being encouraged to use the free Indicator of Compromise Scanning tool released by Citrix and FireEye Mandiant last week.

“The free tool, available under the Apache 2.0 open source license, provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems,” Citrix said in a blog post. “The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits.”

Photo: Citrix/Flickr