The US cybersecurity agency CISA says it is actively leveraging the security flaws of the widely used Citrix products, which hackers are only giving other federal departments a day to patch their systems.
Security researchers have called the bug “Citrix Bleed 2” for similarities to the 2023 security flaw in Citrix Netscaler, a networking product that large companies and governments rely on to enable staff to remotely access apps and other resources on their internal networks. Like previous bugs, Citrix Bleed 2 is remotely exploited to extract sensitive credentials from affected Netscaler devices, allowing hackers to access a wider network.
In an alert Thursday, CISA said there was evidence that the bugs are being used actively in hacking campaigns, increasing the rise in research and findings pointing to widespread exploitation, with some reported hacking going back to mid-June. Akamai said efforts to scan the internet for affected devices would “a dramatic increase” after details of Netscaler exploits were released earlier this week.
The CISA said the Netscaler bug poses a “significant risk” to federal systems and ordered federal agencies to patch Citrix devices affected by the bug by Friday.
Citrix has not yet admitted that the vulnerability is being exploited. The company's security advisory encourages customers to update affected devices as soon as possible.
Citrix representatives did not respond to TechCrunch's request for comment.