Skip to main content

ACSC aware of critical vulnerability in Citrix Application Delivery Controller and Citrix Gateway

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of a critical vulnerability that exists in the Citrix Application Delivery Controller (ADC) (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway).

The vulnerability, known as CVE-2019-19781, was initially disclosed on 17 December 2019 and could allow an unauthenticated attacker to perform arbitrary code execution on an organisation’s local network.

What you need to do

There is currently no patch available for this vulnerability. ACSC strongly encourages affected organisations to immediately follow the mitigation steps provided by Citrix until a permanent fix is available. The mitigation steps are available here: https://support.citrix.com/article/CTX267679.

Affected versions include:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

Further information

Read the Citrix Security Bulletin: https://support.citrix.com/article/CTX267027.

Read ACSC’s guidance on how organisations can prepare and respond to a cyber security incident.

To report a cybercrime, visit ReportCyber.

To learn more about the OAIC Notifiable Data Breaches scheme, visit the OAIC website.