PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781

[German]There is an unpatched vulnerability CVE-2019-19781 in Citrix ADC (Application Delivery Controller, formerly Netscaler) and proof of concept (PoC) exploits have been available for a few days to exploit the vulnerability – and honeypots are already under attack. I got also reports from intrusion into networks in German companies. Administrators responsible for Citrix ADC need to take action.


Vulnerability CVE-2019-19781 in Citrix ADC

The vulnerability CVE-2019-19781 Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution exists in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway).

Citrix (NetScaler) ADC is a load balancer and monitoring system. The Unified Gateway enables remote access to internal applications. This can include desktop applications as well as intranet or web applications.

The vulnerability, classified as critical, could allow a local, unprivileged attacker to execute unwanted code. Mikhail Klyuchnikov, security expert at Positive Technologies, discovered this critical vulnerability.

Widely used

The Citrix ADC/NetScaler is (according to a feedback from a specialist to me over the weekend) in use with at least 80,000 enterprise/government customers. All companies that rely on Citrix XenApp/XenDesktop to virtualize their applications usually also have a NetScaler in use.

On December 24, 2019, I reported on the problem for which there is no patch available from Citrix so far in the article Vulnerability in Citrix Apps put companies at risk. The support CTX267679 – Mitigation steps for CVE-2019-19781 explains how administrators can make the exploitability of the vulnerability more difficult in advance. explains how administrators can make the exploitability of the vulnerability more difficult in advance.

PoC and attacks

I had already noticed it on Friday or the weekend, Citrix ADC administrators might get some grey hair now. Last Saturday, Catalin Cimpanu already pointed out that two proof of concept code examples for the now called Shitrix vulnerability are publicly available.


Cimpanu compiled the details in the linked ZDNet article. But in short: We know about the vulnerability, there is no patch, just a workaround to mitigate the vulnerability. At reddit.com there is link collection on pointing to article with insights. And SANS institute has this article.

From security researcher Kevin Beaumont, I know that his Citrix ADC honeypots have been under attack for several days regarding the CVE-2019-19781 vulnerability and the attackers are trying to gain access to sensitive information. It seems that at Friday or during the weekend the first German companies have been hit with network intrusions.

German CERT-Bund issued another warning on Saturday about the vulnerability and today refers to the patch delivery dates announced by Citrix (20 – 31 January 2020). Administrators must therefore take action and use the workaround until these patches are delivered. But it seems that not all admins have been reached yet.

Catalin Cimpanu points out in the above tweet that more than 25,000 Citrix ADC (NetScaler) endpoints relating to CVE-2019-19781 are vulnerable.

The above tweet indicates that TrustSec has released a scanner on GitHub that allows administrators to check if a server is vulnerable to attack via the CVE-2019-19781 vulnerability.

Addendum: In the following tweet, security researcher Kevin Beaumont points out a blog post by FireEye.

FireEye describes how and which attacks are made on industrial networks to exploit the Shirtrix vulnerability.

Ouch: FreeBSD 8.4 (with EOL 1.8.2015)

The hair of some Citrix NetScaler admins might have turned even more grey. At the weekend I came across this tweet that sheeds light into how vendors maintain their products:

Currently Julian is still waiting for an answer from Citix, but that's not funny at all – imho.

Similar articles:
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *