Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Citrix Releases First Patches for Critical ADC Vulnerability

Citrix has started rolling out security patches for the recently revealed Citrix Application Delivery Controller (ADC) and Citrix Gateway vulnerability.

Citrix has started rolling out security patches for the recently revealed Citrix Application Delivery Controller (ADC) and Citrix Gateway vulnerability.

Disclosed in December 2019 and tracked as CVE-2019-19781, the vulnerability could be exploited to achieve code execution. The issue impacts versions 13.0, 12.1, 12.0, 11.1, and 10.5 of both Citrix ADC and Gateway (previously known as NetScaler ADC and NetScaler Gateway).

The vulnerability is already being exploited in live attacks, which does not come as a surprise, since PoC exploits targeting CVE-2019-19781 were published last week.

On Sunday, Citrix announced that it has released “permanent fixes for ADC versions 11.1 and 12.0.”

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Citrix Chief Information Security Officer Fermin J. Serna reveals.

He also explains that customers need to upgrade ADC and Gateway 11.1 instances (MPX or VPX) to build to install the patches, while ADC and Gateway 12.0 instances (MPX or VPX) should be updated to build

Additionally, Serna notes that Citrix is now targeting January 24 for the release of security fixes for ADC and Gateway versions 12.1, 13, and 10.5, as well as for Citrix SD-WAN WANOP versions 10.2.6 and 11.0.3.

“We urge customers to immediately install these fixes. There are several important points to keep in mind in doing so. These fixes are for the indicated versions only, if you have multiple ADC versions in production, you must apply the correct version fix to each system,” Serna continues.

In December, Citrix published information on the steps organizations can take to mitigate the risk of being exposed to CVE-2019-19781. Until patches are available for them, customers should apply those mitigations.

The mitigations, Serna says, are “effective across all known scenarios,” but customers are advised to apply the permanent fixes for CVE-2019-19781 as soon as possible.

Related: Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability

Related: Exploits Published for Citrix ADC Vulnerability, Patches Coming Soon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.