CVE-2019-19781

CVE-2019-19781 is a critical-severity vulnerability in Citrix Application Delivery Controller Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

CVE-2019-19781: Citrix ADC / Gateway Directory Traversal (Shitrix)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2019-19781
Published 2019-12-27
CVSS v3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS v2 7.5 High (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS 0.99999 (99.998th percentile)
KEV Yes (CISA, since 2021-11-03)
EU Exploited Yes (since 2021-11-03)

Summary

Citrix Application Delivery Controller (ADC) and Gateway products contain a directory-traversal flaw that can be leveraged by unauthenticated remote attackers to execute arbitrary code on the underlying appliance.

Background

Citrix ADC (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) are widely deployed edge-access and load-balancing appliances. In late December 2019, security researchers disclosed a pre-authentication path-traversal issue in these products that could be chained into remote code execution. The vulnerability was rapidly weaponized by multiple threat actors and became commonly known as "Shitrix."

Root Cause

The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). A handler in the /vpn/ endpoint fails to sanitize directory-traversal sequences (../) in the request path. This allows an attacker to reach arbitrary locations on the appliance file system, most notably the template directories used by the web interface. By writing attacker-controlled content into a template file and triggering its evaluation, the attacker can achieve code execution with the privileges of the web server process.

Impact

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).

  • Attack Vector (AV): Network — exploitable remotely without physical or local access.
  • Attack Complexity (AC): Low — no special conditions or race conditions are required.
  • Privileges Required (PR): None — no account or credentials are needed.
  • User Interaction (UI): None — fully automated exploitation is possible.
  • Scope (S): Unchanged — the vulnerable component and impacted component are the same.
  • Confidentiality (C), Integrity (I), Availability (A): High — successful exploitation grants full control over the appliance.

The CVSS v2 score is 7.5 (High) with network-access, low-complexity, no-authentication requirements and partial impacts across the CIA triad.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive and forensic purposes only. Actual proof-of-concept code is deliberately omitted in accordance with responsible disclosure norms.

The attack surface is the /vpn/ URL path on the Citrix appliance. By crafting an HTTP request that embeds directory-traversal sequences, an attacker can escape the intended document root and target writable directories—such as the Perl template cache—on the underlying file system. The attacker uploads or writes attacker-controlled template content into a file with a predictable path. Subsequent requests cause the appliance to process that template, resulting in execution of attacker-supplied commands under the context of the web server user.

This is not a theoretical concern. Mass-exploitation campaigns were observed within days of public disclosure, with actors deploying coin miners, backdoors, and ransomware payloads.

Affected and Patched Versions

Affected products and versions:

  • Citrix ADC versions 10.5, 11.1, 12.0, 12.1, and 13.0
  • Citrix Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0

Patched versions: Citrix released security updates and mitigations. Specific build numbers and patch timelines are documented in the vendor advisory CTX267027. Administrators should consult that bulletin for the exact fixed releases applicable to their platform and license type.

Remediation

  1. Upgrade immediately. Apply the patched firmware or hotfix from Citrix as detailed in CTX267027. Given the EPSS score and active exploitation, this should be treated as an emergency change.
  2. Compensating controls (if patching is delayed):
    • Implement the responder-policy workaround published by Citrix to block traversal patterns at the ADC/Gateway layer.
    • Restrict management and VPN portal access to trusted source IP ranges via upstream firewall rules.
    • Disable unnecessary VPN virtual servers and portals to reduce attack surface.
  3. Post-compromise validation: Assume compromise if the appliance was exposed and unpatched during the exploitation window (late December 2019 onward). Re-image or rebuild from known-good firmware rather than simply patching over a potentially back-doored system.

Detection

  • Network: Monitor HTTP request logs for ../ sequences or anomalous URI paths under /vpn/ and /vpns/. Look for unexpected POST or GET requests returning 200 OK for non-existent resources.
  • Host: Inspect the NetScaler shell for unexpected files in template directories (e.g., under /netscaler/ns_gui/vpn/ or /var/). Check file modification timestamps against change-control records.
  • Behavioral: Correlate appliance-initiated outbound connections with threat-intel feeds. Unexpected DNS queries, HTTP callbacks, or reverse-shell traffic from an ADC/Gateway IP are strong indicators of compromise.
  • Threat Intelligence: CISA maintains this CVE in the Known Exploited Vulnerabilities catalog. Security teams should ensure detection content is mapped to the MITRE ATT&CK techniques for ingress tool transfer (T1105) and command execution.

Assessment

With an EPSS of 0.99999 (99.998th percentile), CVE-2019-19781 sits among the most reliably exploited vulnerabilities in the public record. Its inclusion in the CISA KEV catalog (added 2021-11-03) and the EU exploited-vulnerabilities list confirms sustained, real-world abuse.

Key lessons:

  1. Edge appliances are high-value targets. Pre-authentication RCE in remote-access infrastructure offers threat actors an ideal beachhead; patch SLAs for externally facing appliances should be measured in hours, not days.
  2. Traversal to execution is a common pattern. A seemingly "simple" directory traversal becomes critical when the underlying system processes the traversed path as code. Input validation must be paired with strict execution-context controls.

References

Frequently asked questions

What is CVE-2019-19781?
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
How severe is CVE-2019-19781?
CVE-2019-19781 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-19781 being actively exploited?
Yes. CVE-2019-19781 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-19781?
CVE-2019-19781 primarily affects Citrix Application Delivery Controller Firmware. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-19781?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-19781 have an EU (EUVD) identifier?
Yes. CVE-2019-19781 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-9380. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-19781 published?
CVE-2019-19781 was published on 2019-12-27 and last updated on 2026-06-17.

References

Affected products (10)

More vulnerabilities in Citrix Application Delivery Controller Firmware

All CVEs affecting Citrix Application Delivery Controller Firmware →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →