Almost 500 Citrix servers in the UK vulnerable to ransomware

But that's nothing - there's still more than 3,200 in the US that haven't been patched against the CVE-2019-19781 security flaw

More than 470 Citrix servers hosted in the UK are vulnerable to the CVE-2019-19781 critical security flaw - and seven times that number in the US.

A total of 7,133 vulnerable Citrix servers remain discoverable worldwide on the internet, according to scans by infosec professional Troy Mursch.

The servers are not just exposed to ransomware and other forms of malware and hacking, but may already have been compromised, with the attackers either biding their time before striking, or using the access they have already gained for industrial espionage and exfiltration of other data, rather than more high-profile activity.

Mursch, a Chicago, Illinois-based security specialist, runs the Bad Packets security consultancy.

https://twitter.com/bad\\_packets/status/1223303165270843392?ref\\_src=twsrc%5Etfw

The numbers are down on the 2,028 Mursch and Bad Packets uncovered two weeks ago, before the first fixes were finally pushed out, when the US also boasted 9,880 vulnerable Citrix servers.

However, both the US and UK have lagged behind Germany when it comes to applying the patches and scanning for potential signs of compromise using Citrix and FireEye's free scanner. Germany had 2,510 vulnerable servers two weeks ago, the second-highest number of any country around the world, but today has 238.

CVE-2019-19781 is rated 9.8 out of 10 for severity under CVSS 3.x vulnerability metrics. It affects Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 software, and enables an unauthenticated attacker to perform arbitrary code execution.

This security flaw is about as serious as they come.

Although the flaw was identified before Christmas, Citrix only pushed out its final patches on Friday last week, amid criticism that it had not moved fast enough. Users of the software had been advised to take their installations offline, pending delivery of the patches.

Most chose to ignore that advice, given the disruption it would cause to operations, even as hacking groups switched their attention from unpatched Pulse Secure VPN servers to vulnerable Citrix servers.

Indeed, the National Cyber Security Centre of the Netherlands even urged users to switch off their Citrix ADC and Gateway servers as the mitigation recommendations issued by Citrix, they warned, were ineffective.