Critical flaw in Citrix applications could allow unauthorized access to internal networks

The company that discovered the flaw says "at least 80,000 companies in 158 countries are potentially at risk."
citrix adc vulnerability
Citrix has released patches for the bugs in its mobile-networking software.

A critical vulnerability has been discovered in Citrix’s Application Delivery Controller (ADC) and Gateway products that could give attackers unauthorized access to enterprise networks as well as the ability to run code on them.

Security company Positive Technologies, which first discovered the flaw, says the vulnerability spans several years’ worth of Citrix technology. It estimates that “at least 80,000 companies in 158 countries are potentially at risk.”

Citrix’s ADC is a cloud-based application delivery and load balancing tool, while Gateway allows remote access to a company’s applications. The vulnerability affects Citrix ADC and Citrix Gateway 13.0, 12.1, 12.0, 11.1, and 10.5.

“Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat,” Dmitry Serebryannikov, director of the security audit department for Framingham, Massachusetts-based Positive Technologies, said in a blog post.


Citrix released a security bulletin on Dec. 17 addressing the issue, pushing customers to follow Citrix’s stopgap mitigation, which blocks certain SSL VPN requests. The company says it will be pushing a firmware update for the appliance to fully fix the issue, though there is no date for when that will be issued.

Positive Technologies also writes that using a web application firewall could help fend off potential attacks.

The vulnerability can be tracked by following CVE-2019-19781.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts