A critical flaw in software from Citrix Systems Inc, a company that pioneered remote access so people can work anywhere, has been exploited by government-backed hackers and criminal groups, according to a US cyber official.

The flaw, dubbed Citrix Bleed, was abused by hackers in secret for weeks before it was found and a fix was issued last month, according to Citrix online posts and cybersecurity researchers. Since then, researchers say hackers have accelerated their exploitation of the bug, targeting some of the thousands of customers that haven’t applied a patch.