Xfinity waited to patch critical Citrix Bleed 0-day. Now it’s paying the price
Enlarge (credit: Getty Images | Smith Collection/Gado )
Comcast waited as many as nine days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.
The breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney general's office. Citrix disclosed the vulnerability and issued a patch on October 10. Comcast didn't patch its network until October 16 at the earliest and October 19 at the latest, a lapse of six to nine days. On October 18, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August.
However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," an accompanying notice stated. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired."