Security Experts:

Connect with us

Hi, what are you looking for?



Citrix Patches Critical Vulnerability in ADC, Gateway

Citrix this week released patches for a couple of vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, including a critical bug leading to denial of service (DoS).

Citrix this week released patches for a couple of vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, including a critical bug leading to denial of service (DoS).

The most severe of the two bugs is CVE-2021-22955, a critical security hole that could lead to a DoS condition on appliances that have been configured as a VPN (Gateway) or AAA virtual server.

The security flaw was identified in Citrix Application Delivery Controller (ADC, formerly NetScaler ADC), and Gateway (formerly NetScaler Gateway).

Tracked as CVE-2021-22956, the second flaw could lead to the temporary disruption of the Management GUI, Nitro API, and RPC communication.

Considered low severity, the bug affects ADC and Gateway, as well as SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO, Citrix explains in an advisory.

Citrix addressed both vulnerabilities in ADC and Gateway 13.1-4.43 and later releases of 13.1, 13.0-83.27 and later releases of 13.0, 12.1-63.22 and later releases of 12.1, and 11.1-65.23 and later releases of 11.1, and in ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS.

CVE-2021-22956, Citrix says, was addressed in SD-WAN WANOP Edition 11.4.2 and later releases of 11.4, and 10.2.9c and later releases of 10.2.

“Please note that the WANOP feature of SD-WAN Premium Edition is not impacted,” Citrix notes.

Affected Citrix customers are encouraged to install the available patches as soon as possible.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged users and administrators to review Citrix’s advisory and apply the necessary updates.

Related: Citrix Patches Hypervisor Vulnerabilities Allowing Host Compromise

Related: Citrix Patches DoS Vulnerabilities in Hypervisor

Related: Citrix Releases Updates to Prevent DDoS Attacks Abusing Its Appliances

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.