Connect with us

Hi, what are you looking for?



Citrix Patches 11 Vulnerabilities in Networking Products

Citrix informed customers on Tuesday that it has patched 11 vulnerabilities in its ADC, Gateway, and SD-WAN networking products, and highlighted that the flaws are not related to CVE-2019-19781, which has been exploited in many attacks.

Citrix informed customers on Tuesday that it has patched 11 vulnerabilities in its ADC, Gateway, and SD-WAN networking products, and highlighted that the flaws are not related to CVE-2019-19781, which has been exploited in many attacks.

After publishing a security advisory describing the vulnerabilities, Citrix also published a blog post written by its CISO, Fermin J. Serna, in an effort to “avoid confusion and limit the potential for misinterpretation in the industry and our customer set.”

Serna pointed out that these newly patched vulnerabilities are not related to CVE-2019-19781, which hackers started exploiting in January, shortly after the flaw was disclosed. That security hole was exploited by both profit-driven cybercriminals and state-sponsored threat actors, and it caused a lot of problems for many organizations.

For CVE-2019-19781, Citrix initially released temporary mitigations due to the high risk of exploitation and released permanent patches only weeks later. In the case of the latest vulnerabilities, the company noted that they are fully addressed by the patches and it has found no evidence of malicious exploitation. The likelihood of exploitation is also considered lower.

The newly patched vulnerabilities affect Citrix ADC, Gateway, and the SD-WAN WAN Optimization (WANOP) edition, and they can be exploited for obtaining information, launching DoS attacks, local privilege escalation, XSS attacks, authorization bypass, and code injection.

While some of the flaws can be exploited by a remote and unauthenticated attacker, exploitation in most cases requires access to the targeted system, user interaction, or other preconditions. Moreover, cloud versions of the impacted products are not vulnerable to attacks.

Despite the reduced risk of attacks exploiting these flaws, Citrix has advised customers to implement its security recommendations and install the patches as soon as possible.

Advertisement. Scroll to continue reading.

“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Serna said.

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

Related: Organizations Quick to Patch Critical Citrix ADC Vulnerability

Related: Citrix Releases More Patches for Exploited Flaw, Tool to Detect Compromise

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.