CVE-2019-19781

Citrix ADC/NetScaler — Path Traversal Enables Unauthenticated Remote Code Execution; 6-Week Unpatched Window Drives Mass Exploitation
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on November 3, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2019-19781 is a critical path traversal and remote code execution vulnerability in Citrix Application Delivery Controller (ADC, formerly NetScaler ADC) and Citrix Gateway. An unauthenticated attacker can traverse the VPN virtual server file system and execute arbitrary OS commands by chaining a directory traversal with a Perl CGI script execution — all without credentials.

The vulnerability's timeline is unusual: Citrix disclosed it on December 17, 2019 with no patch available, providing only configuration-based mitigations. Public exploitation began on January 11, 2020 when proof-of-concept code was released, and mass exploitation occurred over a six-week window before all patches were deployed. Nation-state groups including IRIDIUM (Sandworm) and APT41 exploited it alongside criminal ransomware operators and cryptomining botnets. Approximately 80,000 Citrix ADC/Gateway appliances were estimated to be internet-exposed and vulnerable at peak.

What Is Citrix ADC / NetScaler?

Citrix ADC (Application Delivery Controller), formerly NetScaler, is an enterprise network appliance providing load balancing, SSL VPN, reverse proxy, and application security services. Citrix Gateway (formerly NetScaler Gateway) is the SSL VPN component, providing remote access to internal applications. These appliances are perimeter devices deployed by enterprises, government agencies, and healthcare organizations as the internet-facing gateway for remote access — making them extremely high-value targets whose compromise provides immediate access to internal networks.

Affected Versions

Product Vulnerable Versions Fixed Versions
Citrix ADC and Citrix Gateway 10.5, 11.1, 12.0, 12.1, 13.0 13.0.47.24+, 12.1.55.18+, 12.0.63.13+, 11.1.63.15+, 10.5.70.12+
Citrix SD-WAN WANOP 10.2.6, 11.0.3 10.2.6.19.5+, 11.0.3.29.5+

Citrix ADC and Gateway versions below 10.5 are end-of-life.

Technical Details

Root Cause: Path Traversal to CGI Execution

The vulnerability is a two-step attack exploiting Citrix ADC's VPN web interface:

Step 1 — Directory Traversal: Citrix ADC's VPN virtual server exposes a web interface at /vpns/. The web application fails to sanitize path traversal sequences (../) in certain URL paths. An attacker can traverse outside the /vpns/ directory using requests like:

GET /vpns/../vpns/portal/scripts/newbm.pl HTTP/1.1

This reaches Perl CGI scripts that are located outside the intended web root directory but accessible via traversal.

Step 2 — CGI Script Execution with Attacker Parameters: The Perl script newbm.pl (a "new bookmark" script for VPN portal customization) accepts HTTP POST parameters and processes them without sufficient input validation. By sending crafted parameters to this script via the traversal path, an attacker can inject OS commands that are executed by the Perl interpreter running as the web server process (typically root or a highly privileged account on Citrix ADC).

A combined exploit request:

POST /vpns/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: target.citrix.example.com
NSC_USER: ../../../netscaler/portal/templates/cmd
NSC_NONCE: [nonce]

url=http://attacker.com/&title=[OGNL_PAYLOAD]&desc=x&UI_inuse=RfWebUI

The actual exploitation technique involves writing a template file via the traversal and then fetching it to trigger template evaluation with embedded OS commands.

Six-Week Unpatched Window

Citrix's advisory on December 17, 2019 disclosed the vulnerability with no patch — only configuration-based mitigations involving specific firewall responder policies that were complex to implement correctly. The mitigation instructions were incomplete for some deployment modes and were bypassed by researchers within days. The first patches didn't arrive until January 19, 2020, over a month after disclosure, with the last version patched on January 24.

During this window, attackers who had been conducting reconnaissance on Citrix ADC appliances — and who obtained PoC code on January 11, 2020 — had six weeks of exploit-without-defense opportunity against ~80,000 internet-exposed devices.

Attack Characteristics

Attribute Detail
Attack Vector Network — Citrix ADC/Gateway HTTPS port (443)
Authentication Required None
Code Execution As the Citrix web process (often root)
Patch Delay 6 weeks from disclosure to all versions patched
Deployed Exposure ~80,000 internet-exposed instances at peak

Discovery

The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies, who reported it to Citrix under coordinated disclosure. Citrix published the advisory on December 17, 2019. The vulnerability's unusually long disclosure-to-patch timeline — combined with Citrix's decision to disclose publicly before having a patch — was widely criticized by the security community.

Exploitation Context

CVE-2019-19781 became one of 2020's most widely exploited vulnerabilities:

  • Nation-state exploitation:
    • IRIDIUM/Sandworm (Russian GRU): Exploited for persistent access to government and critical infrastructure networks
    • APT41 (Chinese state-sponsored): Targeted healthcare, defense, and technology sectors
    • Iranian APT groups: Used for access to government networks
  • Criminal exploitation: Ransomware operators (including REvil/Sodinokibi precursors), cryptomining botnets, and access brokers all weaponized CVE-2019-19781
  • Backdoor deployment: A common post-exploitation payload was a backdoor dropped to a path that survived appliance reboots
  • Scale: Tens of thousands of organizations are believed to have been compromised during the six-week unpatched window
  • CISA/FBI advisories: Multiple government advisories documented CVE-2019-19781 as one of the most routinely exploited vulnerabilities of 2020 and subsequent years
  • CISA KEV: Added November 3, 2021 — nearly two years after disclosure — confirming continued active exploitation

Remediation

CISA BOD 22-01 Deadline: May 3, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

  1. Apply the Citrix ADC/Gateway patches to the fixed versions listed above. Verify the running version via the Citrix ADC management console or CLI: show version.

  2. Hunt for post-exploitation indicators — organizations with internet-exposed ADC/Gateway instances during the December 2019 – January 2020 window should assume potential compromise:

    • Check for unexpected files in /netscaler/portal/templates/
    • Review /var/nslog/httperror.log and /var/nslog/ns.log for path traversal patterns (/../vpns/)
    • Check for unusual cron jobs or startup scripts
    • Review /etc/passwd for unexpected user accounts

  3. Rotate all credentials that were accessible from the compromised appliance — LDAP/AD integration credentials, SSL private keys, RADIUS shared secrets, and service account passwords stored in Citrix ADC configuration.

  4. Restrict internet exposure. Citrix ADC/Gateway management interfaces should not be directly internet-accessible. VPN portals should be protected by IP allowlisting where possible or placed behind an additional authentication layer.

  5. Upgrade to supported versions. ADC 10.5, 11.0, and 11.1 are end-of-life. Remaining on unsupported versions means future vulnerabilities will receive no patches.

Key Details

PropertyValue
CVE ID CVE-2019-19781
Vendor / Product Citrix — Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance
NVD Published2019-12-27
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2019-12-17Citrix publishes CTX267027 advisory disclosing the vulnerability with no patch available; recommends configuration mitigations
2019-12-27CVE-2019-19781 published
2020-01-11Public proof-of-concept exploit released; mass scanning and exploitation begins
2020-01-13CISA Alert AA20-031A issued; FBI, DHS, and NSA warn of nation-state exploitation
2020-01-19Citrix begins rolling out patches, starting with version 11.1 and 12.0
2020-01-24All supported versions patched
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2019-19781 Vulnerability Database
CISA KEV Catalog Entry US Government
Citrix Security Advisory CTX267027 — CVE-2019-19781 Vendor Advisory
CVE-2019-19781 PoC Scanner — TrustedSec Security Research
BleepingComputer: Exploit for Critical Citrix ADC/Gateway Bug Used to Drop Backdoor Security Research
Tenable: CVE-2019-19781 Citrix ADC Vulnerability Analysis Security Research
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory Weakness Classification

Last updated: 2026-05-01

Gavin Hollinger & AI assembled this air-gap friendly HTML