CVE-2019-11634
Published: 22 May 2019
Summary
CVE-2019-11634 is a critical-severity Improper Access Control (CWE-284) vulnerability in Citrix Receiver. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
Citrix Workspace App before version 1904 for Windows contains an incorrect access control vulnerability, tracked as CVE-2019-11634 and assigned CWE-284. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and result in high impact to confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit the weakness to bypass intended access restrictions, potentially obtaining unauthorized control over the affected application and the underlying Windows system. Because the vulnerability is reachable without credentials or user assistance, it can be leveraged directly from the network to read, modify, or disrupt sensitive data and operations.
Citrix has published remediation guidance in security bulletin CTX251986, directing customers to upgrade to Workspace App 1904 or later. The issue also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for prompt patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-3304
Vulnerability details
Citrix Workspace App before 1904 for Windows has Incorrect Access Control.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy on the Workspace App, blocking the unauthenticated remote bypass described in CVE-2019-11634.
Limits privileges granted to the Citrix process and users, reducing the impact if the access-control flaw is exploited.
Requires authorization and secure configuration for all remote connections to the Workspace App, mitigating the network-accessible attack vector.