National Cyber Security Centre
Alert: Actors exploiting Citrix products vulnerability
An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products.
The NCSC is investigating exploitations of a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that could allow an unauthenticated attacker to perform arbitrary code execution on a network. The vulnerability is CVE-2019-19781 and its exploitation has been widely reported online in early January.
The following Citrix products are affected:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix initially disclosed this vulnerability in an Advisory on 17 December 2019. There is currently no patch, although Citrix have advised customers that updates for affected products will be available from 20 January 2020 onwards, depending on the product.
Before a patch is released, Citrix have provided mitigation advice which the NCSC strongly advises organisations to implement. Full details of how to mitigate are on the Citrix website.
Organisations are advised to check the Citrix website to keep up to date with patch releases.
The NCSC also recommends that organisations carry out searches across their networks to identify whether exploitation has taken place, if they did not implement these mitigations before Citrix disclosed the vulnerability on 17 December 2019.
Latest News from
National Cyber Security Centre
New look scheme protects businesses from cyber attack01/04/2020 16:15:00
IASME Consortium takes over delivery of the government-backed Cyber Essentials certification scheme.
Schoolgirls from Bath crowned UK's cyber champions18/03/2020 17:02:00
CyberFirst Girls Competition 2020 winners crowned at the Grand Final in Cardiff.
NCSC issues guidance as home working increases in response to COVID-1918/03/2020 09:15:00
Advice to help organisations manage the cyber security challenges of increased home working.
Cyber experts step in as criminals seek to exploit Coronavirus fears16/03/2020 12:25:00
Experts at the NCSC have revealed phishing attacks exploiting worries over COVID-19
Watch this cyberspace! Schoolgirls aim for UK codebreaker crown10/03/2020 11:15:00
The CyberFirst Girls Competition 2020 is set to take place and crown schoolgirl codebreakers.
Consumers urged to secure internet connected cameras04/03/2020 11:15:00
Advice has been published by the NCSC for consumers to help secure internet connected cameras.
Registration opens for CYBERUK 202027/02/2020 09:10:00
The UK Government’s flagship cyber security event CYBERUK 2020 has opened its doors for registration.
UK cyber entrepreneurs to meet world's experts in Silicon Valley25/02/2020 11:15:00
Seven companies from the NCSC's Cyber Accelerator programme to pitch to prospective clients at the IT security conference.