Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to systems, the US government has warned.
According to the National Security Agency (NSA), the vulnerability allows hackers to remotely run malicious code on vulnerable devices — no passwords needed.
The desktop virtualisation company also admitted the bug is being actively exploited by threat actors.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” said Peter Lefkowitz, chief security and trust officer at Citrix.
“Limited exploits of this vulnerability have been reported,” he added in a Blog post.
The company has released security updates for both products — Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool.
“As part of our internal reviews and in working with our security partners, we have identified vulnerabilities in Citrix ADC and Citrix Gateway 12.1 and 13.0 before 13.0-58.32 builds,” said the company.
Customers are urged to install the recommended builds immediately as this vulnerability has been identified as critical and aceno workarounds are available for this vulnerability”.
According to an NSA advisory, APT5, a Chinese hacking group, has been actively targeting Citrix application delivery controllers (ADCs).
“Targeting Citrix ADCs can facilitate illegitimate access to targeted organisations by bypassing normal authentication controls,” read the advisory.
“Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC and isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained,” the NSA recommended.