On Dec. 16, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert regarding Citrix ADC and Gateway vulnerabilities. The Department of Health and Human Services says that U.S. healthcare entities have already been compromised by the exploitation of this vulnerability.

The sector alert states that “Citrix released patches for a vulnerability that impacts both their Application Delivery Controller and Gateway platforms. This vulnerability allows a remote attacker to completely compromise a target system. These vulnerabilities are known to be actively exploited by a highly capable state-sponsored adversary.”

HC3 is urging healthcare and public health organizations to review their inventory for these systems and implement these patches.

The sector alert adds that “Citrix has recently patched what they describe as a ‘critical’ zero-day vulnerability in their Application Delivery Controller and Gateway. This vulnerability, which is actively compromised, allows an unauthenticated attacker to potentially execute commands remotely on vulnerable devices and completely compromise a system. This report contains the steps necessary to completely protect a system from potential compromise.”