Citrix issues permanent fixes for CVE-2019-19781 in ADC and Gateway
Citrix published firmware updates replacing interim mitigations for CVE-2019-19781 path traversal flaws in ADC, Gateway, and SD-WAN WANOP appliances, requiring customers to upgrade affected builds and remove responder policies.
Executive briefing: Citrix released permanent fixes for CVE-2019-19781 across supported Citrix ADC, Gateway, and SD-WAN WANOP firmware streams, closing the path traversal remote code execution bug that had been temporarily mitigated with responder policies.
Why it matters
- Exploitation had been widespread, with public exploit code and active scanning targeting gateways exposed to the internet.
- The interim responder policy workaround reduced risk but did not fully remove the vulnerability; upgrading to fixed builds is the durable remediation.
- Appliances often front remote access to corporate networks, so unpatched devices provide an entry point for credential theft and post-exploitation lateral movement.
Operator actions
- Identify deployed Citrix ADC, Gateway, and SD-WAN WANOP appliances and map firmware versions against the fixed builds listed in the vendor bulletin.
- Apply the vendor firmware update appropriate to each branch (11.1, 12.0, 12.1, 13.0, or SD-WAN 10.2/11.0) following Citrix's upgrade instructions.
- Remove any temporary responder policies applied for CVE-2019-19781 once devices are upgraded, per Citrix guidance.
- Hunt for indicators of compromise (unexpected admin accounts, webshells in /netscaler/portal/scripts) on appliances that were exposed before patching.
Key sources
- Citrix: Updated security bulletin for CVE-2019-19781 (lists fixed builds and removal steps for responder policies).
- CISA Alert AA20-031A (describes exploitation and mitigation expectations for exposed appliances).