Tackling vulnerabilities to keep your business running

Citrix is committed to keeping its products and customers secure. Citrix strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Citrix has a robust Security Response Process that accepts vulnerability reports against Citrix products and services from external sources – customers and researchers alike.

The Citrix Security Response Team is a dedicated, global team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Citrix products.

In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Citrix follow our vulnerability response process:


Upon receiving a vulnerability report, Citrix will generate a unique case identifier and acknowledge receipt by the end of the next working day.


Citrix will investigate all reports of vulnerabilities in Citrix products. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Citrix will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.

Variant analysis

Citrix will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.


The Citrix Security Response team will work with Citrix internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Citrix will provide updates to the researcher as and when there is progress with the vulnerability handling process related to the reported vulnerability.


When a mitigation or software update is released, Citrix will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the course of the vulnerability handling process, Citrix identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.

Post release

Citrix will monitor feedback from users and, if necessary, will update remediation and mitigation information accordingly.

At Citrix, we are committed to ensuring the security of our customers. We follow a holistic and comprehensive approach to secure our products, services, and assets, with a formalized process for handling reported security vulnerabilities.

To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email or subscribe to the RSS feed.

If you have identified a specific reproducible security vulnerability in a Citrix product or asset, please contact the Citrix Security Response Team by reporting a security issue within the Citrix Trust Center. Citrix recommends that vulnerability reports are encrypted using the PGP public key (fingerprint: 99FE 91C1 51A0 F7D5 4839 6044 351D 173A 623E 751C). When submitting a finding, please include as much detail as possible to aid with reproduction, testing, and resolution.

Citrix will treat all information received as confidential. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, Citrix asks reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published on the Citrix website.

If additional information is needed on any existing vulnerability and its impact on a Citrix product or service, please raise a support request through your normal Citrix support channel. Please include the Common Vulnerabilities and Exposures (CVE) reference, see: https://nvd.nist.gov, or the relevant Citrix security bulletin article number when submitting the request.

Review technical support options or report a security issue within the Citrix Trust Center.

For help analyzing the results of a penetration testing report or any automated security tool output, please raise a support request through your normal Citrix support channel. Please ensure that the submission includes details on the specific versions and configuration of the products that were analyzed and any available details on how the test was conducted.

Review technical support options or report a security issue within the Citrix Trust Center.

Citrix will investigate vulnerabilities in Citrix products and services from the date of release until End of Life (EOL). See the Citrix product lifecycles for more information.

Citrix generally will publish security bulletins when Citrix has completed the vulnerability response process and determined that enough software patches or workarounds exist to address a vulnerability, or subsequent public disclosure of code fixes is planned (e.g., through a CVE) to address high-severity vulnerabilities.

In limited circumstances, including where Citrix has observed active exploitation of a vulnerability or where there is the potential for public awareness of a vulnerability that could lead to increased risk for Citrix customers, a security bulletin may be published before a complete set of patches or workarounds have been released, so that we may alert customers and provide advice on how to mitigate the associated risks.

Citrix classifies Security bulletins as Critical, High, Medium, Low, or Informational according to the risk that Citrix determines a vulnerability represents to our customers. Citrix will calculate the risk of vulnerability based upon the CVSS method, but may modify scoring to reflect specific circumstances including, but not limited to complexity of exploitation and available mitigations. Citrix recommends that customers apply security fixes/patches as soon as possible following their release.

Update your support notifications to receive future security bulletins by email or subscribe to the RSS feed.

Citrix Security bulletins are published and disclosed to customers and the public simultaneously. However, Citrix also offers pre-notification of an upcoming bulletin to a limited group of customers.

Customers on the pre-notification list will receive a notification of an upcoming Security bulletin 1-2 weeks prior to the public release date in order to aid the planning of resource allocation for update activities. The notification will contain the name of affected product, affected version (major versions only), criticality of the vulnerability and expected date of release.

Pre-notification of upcoming Citrix Security bulletins is available to customers and partners that meet the following criteria:

  • Must have a current Priority or Priority Plus support contract with Citrix
  • Must be managing critical infrastructure (qualified by size). Examples include -
    • Cloud platform providers
    • Service platform provider
    • Healthcare-based ISVs
  • Must NOT have been previously disqualified from the pre-disclosure program

If you wish to be added to the pre-notification list, please submit a request. Customers and partners that are accepted will be required to execute a program agreement.

Please note that submission of a request does not guarantee admission into the pre-notification program. Requests are considered and approved at the sole discretion of Citrix.

Additional product configuration and security compliance information

Citrix would like to thank security researchers who have worked with us to secure Citrix products and services and, when permission is given, will acknowledge a reporter's contribution during the public disclosure of a vulnerability.

Name Company Release Date CVE
Maarten Boone N/A
7-Jul-20 CVE-2020-8190
Donny Maasland
Unauthorized Access 7-Jul-20 CVE-2020-8191, CVE-2020-8193, CVE-2020-8194, CVE-2020-8195, CVE-2020-8196
Laurent Geyer Akamai 7-Jul-20 CVE-2020-8197
Albert Shi UVision 7-Jul-20 CVE-2020-8198
Viktor Dragomiretskyy N/A 7-Jul-20 CVE-2020-8199
Muris Kurgas Digital14 7-Jul-20 CVE-2019-18177
Andrew Hess N/A 11-Jun-20 CVE-2020-13884, CVE-2020-13885
Daniel Jensen N/A 24-Jun-20 CVE-2020-7473, CVE-2020-8982, CVE-2020-8983
Danske Bank Red-Team Danske Bank 5-May-20 CVE-2020-8982, CVE-2020-8983
Mikhail Klyuchnikov Positive Technologies 17-Dec-19 CVE-2019-19781
Gianlorenzo Cipparrone Paddy Power Betfair plc 17-Dec-19 CVE-2019-19781
Miguel Gonzalez Paddy Power Betfair plc 17-Dec-19 CVE-2019-19781
Marc-André Labonté Desjardins 17-Oct-19 CVE-2019-18225
Vahagn Vardanyan N/A 20-Aug-19 CVE-2019-13608
Ollie Whitehouse NCC Group 13-May-19 CVE-2019-11634
Richard Warren NCC Group 13-May-19 CVE-2019-11634
Martin Hill NCC Group 13-May-19 CVE-2019-11634
Sergey Gordeychik SD-WAN New Hope 30-Apr-19 CVE-2019-11550
Denis Kolegov SD-WAN New Hope 30-Apr-19 CVE-2019-11550
Nikita Oleksov SD-WAN New Hope 30-Apr-19 CVE-2019-11550
Jonas Danske Bank 26-Apr-19 CVE-2019-18571
Vasile Revnic N/A 10-Apr-19 CVE-2019-11345
Mark Du Plessis N/A 11-Mar-19 CVE-2019-9548
Craig Young Tripwire VERT 23-Jan-19 CVE-2019-6485
Janis Fliegenschmidt Ruhr-Universität Bochum 23-Jan-19 CVE-2019-6485
Juraj Somorovsky Ruhr-Universität Bochum 23-Jan-19 CVE-2019-6485
Nimrod Aviram Tel Aviv University 23-Jan-19 CVE-2019-6485
Robert Merget Ruhr-Universität Bochum 23-Jan-19 CVE-2019-6485
Andrey Medov
Positive Technologies 11-Aug-20 CVE-2020-8209
Glyn Wintle Tradecraft 11-Aug-20 CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, CVE-2020-8212
Kristian Bremberg Detectify 11-Aug-20 CVE-2020-8208
Ceri Coburn Pen Test Partners 21-Jul-20 CVE-2020-8207
Laurent Geyer Akamai 7-Jul-20 CVE-2020-8197
Muris Kurgas Digital14 7-Jul-20 CVE-2019-18177
Maarten Boon   7-Jul-20 CVE-2020-8190
Donny Maasland   7-Jul-20 CVE-2020-8191, CVE-2020-8193, CVE-2020-8194, CVE-2020-8195, CVE-2020-8196
Albert Shi Univision Network (Shanghai) Co., Ltd 7-Jul-20 CVE-2020-8198
Viktor Dragomiretskyy   7-Jul-20 CVE-2020-8199
Andrew Hess   11-Jun-20 CVE-2020-13884, CVE-2020-13885
Harrison Neal Patch Advisor 8-Sep-20 CVE-2020-8200
Moritz Bechler SySS GmbH 17-Sep-20 CVE-2020-8245
Knud F-Secure 17-Sep-20 CVE-2020-8246
Arsenii Pustovit Adversary Emulation team (Royal Bank of Canada)  17-Sep-20 CVE-2020-8247
Johan Georges Wisearc Advisors, Sweden 17-Sept-20 -
Vasilis Maritsas EY Consulting 17-Sept-20 -
Juan David Ordoñez Noriega RedTeam CSIETE 17-Sept-20 -
Ricardo Iramar Dos Santos - 17-Sept-20 -