CVE-2019-19781
Published: 27 December 2019
Summary
CVE-2019-19781 is a critical-severity Path Traversal (CWE-22) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-19781 is a directory traversal vulnerability, tracked under CWE-22, that affects Citrix Application Delivery Controller (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0. It received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impacts on confidentiality, integrity, and availability.
The flaw can be exploited remotely by unauthenticated attackers to traverse directories on affected appliances. Public exploit code demonstrates that successful traversal can be chained to achieve remote code execution on the target system.
The listed references consist of multiple Packet Storm entries that publish proof-of-concept code for directory traversal and remote code execution against the vulnerable Citrix products; no official mitigation guidance or patch details appear in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-9380
Vulnerability details
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control policies to block unauthorized directory traversal and file access by unauthenticated remote attackers.
Requires validation of URL/path inputs to reject traversal sequences such as '../' that enable the directory traversal.
Boundary protection mechanisms can restrict or monitor network traffic to the vulnerable Citrix ADC/Gateway interfaces.