Update on the Citrix Vulnerability, CVE-2019-19781

by Sarah Harvey / January 17th, 2020

On December 17, 2019, Citrix released information about a vulnerability tracked as CVE-2019-19781. This vulnerability lies in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Will this the Citrix vulnerability impact your organization?

What We Know About CVE-2019-19781

CVE-2019-19781 allows unauthenticated remote attackers to execute arbitrary code on the exposed system. Because of where the Citrix vulnerability resides on the network, the importance of patching is critical. A permanent patch was not released by Citrix until January 20 – meaning Citrix left this vulnerability unpatched for over a month. Citrix did provide configuration steps to reduce the risk of exploitation for CVE-2019-19781 and stressed the importance of those mitigation steps, plus the Cybersecurity and Infrastructure Security Agency (CISA) released a tool, available on GitHub, to check for this Citrix vulnerability.

Important updates on the #CitrixADC, Citrix Gateway vulnerability: (1) Permanent fixes for ADC v11.1 & 12. (2) We have moved forward the availability of permanent fixes for other ADC versions & SD-WAN WANOP from previous target dates. #CVE201919781 https://t.co/20c9u3oh8h

— Citrix (@citrix) January 19, 2020

Citrix 2019 Breach

This isn’t Citrix’s first security incident. In March 2019, the FBI informed Citrix that “they had reason to believe that international cyber criminals gained access to the internal Citrix network.” It was speculated the attackers used password spraying to gain access, impacting over 200 government agencies, oil and gas firms, and technology companies.

Forbes reports that Citrix provides VPN access and credentials to 400,000 organizations worldwide and 98% of the Fortune 500. When an organization like Citrix has a vulnerability, it’s not insignificant. Our penetration testers and auditors are watching this vulnerability closely.