Citrix issues permanent fixes for CVE-2019-19781 in ADC and Gateway

Executive briefing: Citrix released permanent fixes for CVE-2019-19781 across supported Citrix ADC, Gateway, and SD-WAN WANOP firmware streams, closing the path traversal remote code execution bug that had been temporarily mitigated with responder policies.

Why it matters

• Exploitation had been widespread, with public exploit code and active scanning targeting gateways exposed to the internet.
• The interim responder policy workaround reduced risk but did not fully remove the vulnerability; upgrading to fixed builds is the durable remediation.
• Appliances often front remote access to corporate networks, so unpatched devices provide an entry point for credential theft and post-exploitation lateral movement.

Operator actions

• Identify deployed Citrix ADC, Gateway, and SD-WAN WANOP appliances and map firmware versions against the fixed builds listed in the vendor bulletin.
• Apply the vendor firmware update appropriate to each branch (11.1, 12.0, 12.1, 13.0, or SD-WAN 10.2/11.0) following Citrix's upgrade instructions.
• Remove any temporary responder policies applied for CVE-2019-19781 once devices are upgraded, per Citrix guidance.
• Hunt for indicators of compromise (unexpected admin accounts, webshells in /netscaler/portal/scripts) on appliances that were exposed before patching.

Key sources

• Citrix: Updated security bulletin for CVE-2019-19781 (lists fixed builds and removal steps for responder policies).
• CISA Alert AA20-031A (describes exploitation and mitigation expectations for exposed appliances).