Today, we released permanent fixes to address the CVE-2019-19781 vulnerability for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 12.1 and 13.0. These fixes are available to download for ADC and Gateway.

As with the permanent fixes made available for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and Citrix SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO earlier this week, these fixes are available to all customers regardless of whether they have an active maintenance contract with Citrix. We strongly urge all customers to immediately install these fixes.

The fixes released throughout this week will only work for indicated versions.

Upgrade guides can be found on the download page for release 12.1 and release 13.0. While these upgrades are not difficult to install, we recommend reviewing the instructions and calling our Support Center if you have any questions. To further assist with installations, we have staffed our support center with outstanding networking technical resources, and we are providing real-time chat support.

It is necessary to upgrade all Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP instances to the builds listed in the table below. This table also shows the latest release dates, reflecting the accelerated delivery of fixes this week.

Citrix ADC and Citrix Gateway
Version Refresh Build Release Date
11.1 11.1.63.15 January 19, 2020
12.0 12.0.63.13 January 19, 2020
12.1 12.1.55.18 January 23, 2020
13.0 13.0.47.24 January 23, 2020
10.5 10.5.70.x January 24, 2020
Citrix SD-WAN WANOP
Release Citrix ADC Release Release Date
10.2.6b 11.1.51.615 January 22, 2020
11.0.3b 11.1.51.615 January 22, 2020

In addition to immediately installing these fixes, we encourage all customers to use the free Indicator of Compromise Scanning tool that we teamed up with FireEye Mandiant to launch this week. This tool is available under the Apache 2.0 open source license, and provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits. The tool is freely accessible in the Citrix GitHub Repository.

Thank you to our customers and partners for your patience as we continue to rollout fixes that fully address this vulnerability. Customer security remains a top priority for Citrix, and we will continue making every effort to ensure all customers are supported.