National Cyber Security Centre
Printable version

Alert: Actors exploiting Citrix products vulnerability

An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products.

Update note

This Alert is an updated version of the Alert published on 14 January 2020.

It provides updated information on another product (SD-WAN WANOP) also affected by the vulnerability, newly released fixes and creation of an IoC scanning tool to detect exploitation.


The NCSC is investigating multiple exploitations of a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows an unauthenticated attacker to perform arbitrary code execution on a network. The vulnerability is CVE-2019-19781 and its exploitation has been widely reported online in early January 2020.  Attackers appear to be deploying various payloads once exploitation has taken place.

The following Citrix products are affected:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Note that since the original disclosure, Citrix has advised that the vulnerability is also known to affect some SD-WANOP appliance models:

  • Citrix SD-WAN WANOP appliance models 400-WO, 4100-WO, 5000-WO and 5100-WO all supported builds 

Release of fixes

Citrix first disclosed this vulnerability in an Advisory on 17 December 2019. Initially no patch was available although Citrix provided mitigation advice. On 19 January 2020, Citrix began to release fixes, which were available for all affected builds by 24 January. Links can be found below.

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, the most important aspect is to install the latest updates as soon as practicable and to follow the vendor mitigation advice immediately.

Citrix have now updated the fixes for all affected ADC versions:

Fixes for all affected Gateway versions:

Fixes for all affected SD-WAN models:

Detecting already compromised systems

The NCSC also strongly advises organisations carry out searches across their networks to identify whether exploitation has taken place.

Citrix and Mandiant FireEye have jointly developed an IoC scanner to detect this vulnerability. The scanner analyses available log sources and system forensic artefacts to identify where exploitation of CVE-2019-19781 has taken place. The tool can be accessed via the link below:

In addition, the following can also be used as a simple check for a vulnerable system:

  1. Perform a GET request to: https://{host}/vpn/../vpns/
  2. Check response for "You don't have permission to access /vpns/"


Organisations who detect any suspected exploitation should report to the NCSC via the website


Sigma rule to detect activity is publicly available:

title: Citrix Netscaler Attack CVE-2019-19781description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attackid: ac5a6409-8c89-44c2-8d64-668c29a2d756references:


author: Arnim Rupp, Florian Rothstatus: experimentaldate: 2020/01/02modified: 2020/01/13logsource:category: webserverdescription: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with'detection:selection:c-uri-path:

  • '*/../vpns/*'
  • '*/vpns/cfg/smb.conf'
  • '*/vpns/portal/scripts/*'
  • '*/vpns/portal/scripts/*'
  • '*/vpns/portal/scripts/*'

condition: selectionfields:

  • client_ip
  • vhost
  • url
  • response


  • Unknown

level: critical

In addition, the following Snort rule alerts on the first part of the "Project Zero India" exploit:

alert tcp any any -> any any (sid: 1019781; msg: "SERVER-WEBAPP Citrix ADC NSC_USER directory traversal attempt"; content: "NSC_USER:"; fast_pattern; content: "NSC_USER:"; http_header; content: "/../"; http_header; content: "POST"; http_method; content: "NSC_NONCE:" ; http_header; content: ".pl"; http_uri; content: "/vpns/"; http_uri; reference:cve,2019-19781; classtype: web-application-attack)

Exploitation code is also available via the links below:


Alert: Actors exploiting a vulnerability in Citrix products (version 2)
An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products (version 2), PDF, 204 KB, 5 PAGES


Channel website:

Original article link:

Share this article

Latest News from
National Cyber Security Centre