Cyber Resilience

CVE-2019-11634

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 22 May 2019

Published
22 May 2019
Modified
06 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5243 98.0th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11634 is a critical-severity Improper Access Control (CWE-284) vulnerability in Citrix Receiver. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

Citrix Workspace App before version 1904 for Windows contains an incorrect access control vulnerability, tracked as CVE-2019-11634 and assigned CWE-284. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and result in high impact to confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the weakness to bypass intended access restrictions, potentially obtaining unauthorized control over the affected application and the underlying Windows system. Because the vulnerability is reachable without credentials or user assistance, it can be leveraged directly from the network to read, modify, or disrupt sensitive data and operations.

Citrix has published remediation guidance in security bulletin CTX251986, directing customers to upgrade to Workspace App 1904 or later. The issue also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for prompt patching.

EU & UK References

Vulnerability details

Citrix Workspace App before 1904 for Windows has Incorrect Access Control.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
receiver
4.9
citrix
workspace
≤ 1904

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy on the Workspace App, blocking the unauthenticated remote bypass described in CVE-2019-11634.

prevent

Limits privileges granted to the Citrix process and users, reducing the impact if the access-control flaw is exploited.

AC-17 Remote Access partial match
prevent

Requires authorization and secure configuration for all remote connections to the Workspace App, mitigating the network-accessible attack vector.

References