Today we posted a Security Bulletin covering a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (CEM), often referred to as XenMobile Server.
The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately. Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch. We recommend that you upgrade to 10.12 RP3, the latest supported version.
We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit.
As such, prior to today’s Security Bulletin, we advised customers with current active maintenance to apply the latest rolling patches and saw a vast majority take our advice. Further, we have pre-briefed a number of major CERTs around the world.
Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance.
We remain committed to incorporating feedback from our customers and adapting our communication and customer support offerings as needed.
As noted in this blog post, we recently updated our vulnerability processes, and we published those updates on the Citrix Trust Center website. These updates include enhancements in our processes around international standard ISO/IEC 29147:2018; an opportunity to apply for pre-notification of security bulletins; and the Hall of Fame honoring those third parties that work collaboratively and responsibly with us to improve the security of our products.