A critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), tracked as CVE-2019-19781, could be exploited by attackers to access company networks.
It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S.
The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.
“If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.” reads the post published by Positive Technologies.
“Positive Technologies experts determined that at least 80,000 companies in 158 countries are potentially at risk.”
The vulnerability affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
The expert pointed out the exploitation of the vulnerability does not require access to any accounts, for this reason, the issue could be triggered by any external attacker to
Depending on the configuration of the servers, Citrix applications can be used for connecting to workstations and critical business systems. Considering that Citrix applications are accessible on the company network perimeter, the flaw could allow attackers to attack other resources in the internal network from the Citrix server.
“Citrix applications are widely used in corporate networks,”
Citrix has released measures to mitigate the flaw, it
Positive Technologies pointed out that the vulnerability was introduced in the Citrix software in 2014, for this reason, it is important to also detect past exploitation of the flaw.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.