Cyber Resilience

CVE-2019-19781

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 27 December 2019

Published
27 December 2019
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-19781 is a critical-severity Path Traversal (CWE-22) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-19781 is a directory traversal vulnerability, tracked under CWE-22, that affects Citrix Application Delivery Controller (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0. It received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impacts on confidentiality, integrity, and availability.

The flaw can be exploited remotely by unauthenticated attackers to traverse directories on affected appliances. Public exploit code demonstrates that successful traversal can be chained to achieve remote code execution on the target system.

The listed references consist of multiple Packet Storm entries that publish proof-of-concept code for directory traversal and remote code execution against the vulnerable Citrix products; no official mitigation guidance or patch details appear in the supplied references.

EU & UK References

Vulnerability details

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
application delivery controller firmware
10.5, 11.1, 12.0, 12.1, 13.0
citrix
netscaler gateway firmware
10.5, 11.1, 12.0, 12.1
citrix
gateway firmware
13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control policies to block unauthorized directory traversal and file access by unauthenticated remote attackers.

prevent

Requires validation of URL/path inputs to reject traversal sequences such as '../' that enable the directory traversal.

preventdetect

Boundary protection mechanisms can restrict or monitor network traffic to the vulnerable Citrix ADC/Gateway interfaces.

References