Security News > 2020 > January > Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
Citrix has finally started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix.
As explained earlier on The Hacker News, the vulnerability, tracked as CVE-2019-19781, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. Rated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December.
As part of its first batch of updates, Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to "ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance."
"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances to build 12.0.63.13 to install the security vulnerability fixes," Citrix said in its advisory.
UPDATE - Citrix on Thursday also released second batch of permanent security patches for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/MZy5oDEycuI/citrix-adc-patch-update.html
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability (source)
- CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-27 | CVE-2019-19781 | Path Traversal vulnerability in Citrix products An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. | 9.8 |