Sensitive vulnerability Citrix actively abused by cyber criminals


A vulnerability in various Citrix solutions, often referred to as the home working environment for larger organizations, appears to be actively exploited by cyber criminals to break into corporate networks. Citrix has still not released a solution to the problem. It is therefore possible to abuse the weakness.

Opportunities for criminals

With the vulnerability, also called CitrixMash by researchers, it is possible for an attacker to access a Citrix environment that is connected to the internet without login details.

No solution for Citrix customers yet

The vulnerability was announced on 17 December 2019 on the Citrix support website ( Because of Citrix, there is still no patch that definitively solves the problem and several large organizations are vulnerable.

What products are we talking about?

The vulnerability is located in the Application Delivery Controller (ADC), NetScaler and Citrix Gateway solutions developed by Citrix and applies to all versions from 10.5, 11.1, 12.0 up to and including 13.0.

However, on 11 January 2020 Citrix published a so-called ‘Fix Timeline’ indicating which version can expect a patch at which time. The first fix is not expected until January 20 for one of the Citrix versions (version 11.1). The patches for other versions are expected later in January.

Attacks possible in the Netherlands

Researchers from the NFIR CERT have conducted research into various vulnerable Citrix servers in the Netherlands using open sources. It was found that of the 5800 publicly identified Citrix environments in the Netherlands, 1300 to date are vulnerable to attacks from outside with this new vulnerability.

Mitigating measures

Until the updates for the various vulnerable versions of Citrix environments are released, Citrix and the NCSC recommend taking so-called emergency measures to prevent attacks – these emergency measures ensure that the vulnerability can no longer be abused.

The following steps need to be taken to protect the Citrix environments:

  1. Map out which Citrix environments are available within the organisation that can be accessed directly from the internet
  2. Carry out the mitigating measures issued by Citrix on each Citrix server to which the vulnerability applies.
  3. Restart the Citrix environment to apply mitigating measures

More information about these emergency measures can be found at

Do you suspect that you have become a victim as a result of this vulnerability or do you suspect that your organisation has been hacked? Then contact the NFIR Incident Response team.

Security incident? Get acquainted with incident response

Our incident response team is available 24/7 to identify and resolve any cyber incident

  • Triage: the aim of this step is to identify the source(s) and affected devices and/or systems, set priorities based on these and determine the plan of approach for further research. At the same time, data is safeguarded in a forensic way for possible further investigation.
  • Containment:this process involves restoring affected devices and/or systems and verifying security so normal operations can resume.
  • Post incident activities: When the incident is resolved, a forensic investigation report is prepared. The report proposes solutions to prevent a similar event from occurring in the future. NFIR can also support and/or advise in the communication towards the Data Protection Authority, attorney at law and other parties involved.

The NFIR team consists of a team of digital forensic investigators, ethical hackers and team leads who have extensive experience with cyber security incident response. After notification of the security incident, a team is put together that expresses its opinion. The size of the team depends on the type of cyber incidents. Of course, all members of the team will work forensically during this process.

We stand for communicating in clear language with our customers. In this way we also report our findings. In addition, we aspire to the ‘numbers tell the tale’ approach, which enables us to help you in a targeted way by means of various types of research. The approach also includes further development of our services. As a result, our services keep in line with changing practice.

NFIR stands for offering technical and organisational support, security services and training. With our knowledge and experience we can provide you with technical advice and advise you on the procedures and processes of information security. Enabling NFIR helps you to increase the resilience of your organisation’s cyber security in several areas.

More information