At Citrix, the security of our products, services, and corporate environment is paramount. We take product and service vulnerabilities very seriously and commit significant resources to protect our customers, employing robust security policies and procedures to ensure that we detect and respond effectively to vulnerabilities and incidents and minimize their impact.

Last month, we advised customers of a discovered vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

We immediately started our security response process that involves, among other actions, variant analysis and mitigation development. Due to the increased risk of vulnerability leaks and the potential for an uncoordinated disclosure, we published a security advisory with detailed mitigations. These mitigations cover all supported versions and contain detailed steps designed to stop a potential attack across all known scenarios.

We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested. We anticipate making them available for supported versions as follows:

13 27-Jan-2020
12.1 27-Jan-2020
12 20-Jan-2020
11.1 20-Jan-2020
10.5 31-Jan-2020

There have been reports of network scanning to detect the presence of this vulnerability. We believe that a limited number of devices are exploitable though the management IP but they could be directly affected through the VIP. We continue to recommend that all affected customers deploy the previously released mitigation and follow all steps.

We remain deeply committed to the security of our solutions and will continue to provide updates on CVE-2019-19781 and support to our customers in managing the vulnerability via our product support Knowledge Center. To receive updates automatically, visit: https://support.citrix.com/user/alerts.