Security News > 2020 > January > Unpatched Citrix Flaw Now Has PoC Exploits

Proof-of-concept exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller and Citrix Gateway products.

The vulnerability, which Threatpost reported on in December, already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.

Citrix did not disclose many details about the vulnerability in its security advisory Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.

Affected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

"Citrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020," according to the Citrix security advisory.

News URL

https://threatpost.com/unpatched-citrix-flaw-exploits/151748/