Xfinity waited 13 days to patch essential Citrix Bleed 0-day. Now it’s paying the worth

A parked Comcast service van with the

Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020. (credit score: Getty Photos | Smith Assortment/Gado )

Comcast waited 13 days to patch its community in opposition to a high-severity vulnerability, a lapse that allowed hackers to make off with password knowledge and different delicate info belonging to 36 million Xfinity clients.

The breach, which was carried out by exploiting a vulnerability in community {hardware} offered by Citrix, gave hackers entry to usernames and cryptographically hashed passwords for 35.9 million Xfinity clients, the cable TV and Web supplier mentioned in a notification filed Monday with the Maine lawyer basic’s workplace. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the title Citrix Bleed, had been beneath lively exploitation since August. Comcast didn’t patch its community till October 23, 13 days after a patch grew to become accessible and 5 days after the report of the in-the-wild assaults exploiting it.

“Nevertheless, we subsequently found that previous to mitigation, between October 16 and October 19, 2023, there was unauthorized entry to a few of our inner programs that we concluded was a results of this vulnerability,” an accompanying discover said. “We notified federal regulation enforcement and carried out an investigation into the character and scope of the incident. On November 16, 2023, it was decided that info was seemingly acquired.”

Learn 6 remaining paragraphs | Feedback

Leave a Reply

Your email address will not be published. Required fields are marked *