Citrix starts releasing permanent fixes for critical controller vulnerability

Citrix is urging infosec pros to quickly install fixes to versions of its Application Delivery Controller released Sunday to plug a vulnerability that is already being exploited by attackers.

“We urge customers to immediately install these fixes,” the company said on its website.

There are several versions of the controller, it added, and administrators have to apply the correct version fix to each system.

The patches are the first of several permanent fixes being released for the Citrix ADC, formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and certain deployments of two older versions of Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3 that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Until now admins could only apply mitigations to the vulnerability, called CVE-2019-19781, first announced on December 17.


Vulnerabilities found in Citrix products

The initial permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here. Citrix says they also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.

All Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) have to be upgraded to build to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build to install the security vulnerability fixes.

Permanent fixes for other ADC versions and for SD-WAN WANOP will be released sooner than previously announced. The patches for ADC version 12.1, version 13 and 10.5 will all now be released January 24. In the meantime, the previously announced mitigations need to be applied for those products.

According to FireEye it hasn’t taken long for attackers to try to exploit the vulnerability.

“After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity,” FireEye said last week.

Interestingly, it added, one threat actor has recently been getting into Citrix devices vulnerable to this exploit and blocking others from using it. At the same time, though, it deploys a previously-unseen backdoor to NetScaler devices. FireEye suspects that attackers may be quietly collecting access to NetScaler devices for a subsequent campaign.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now