ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Citrix ADC and Gateway Exploit - CVE-2019-19781

Risk Factors

An attacker with internet access to a vulnerable Citrix device can easily and remotely run arbitrary code on that device and gain complete control of the device, install malware, establish a persistent attack, or move laterally across the network.

Kill Chain

Exploitation

Risk Score

98

Detection diagram
Next in Exploitation: Citrix ADC and Gateway Scan - CVE-2019-19781

Attack Background

Several Citrix products contain a vulnerability that enables an attacker to traverse restricted directory paths and remotely run arbitrary code on the device. First, the attacker scans the target to confirm the presence of the vulnerability. Next, the attacker submits a POST request to upload a malicious script to the following path: https://../vpn/../vpns/ (1). Finally, the attacker sends a GET request to call the malicious URL (2) and run the script. Alternatively, the attacker can set up the script to run later or repeatedly as a cron job.

Mitigation Options

Upgrade to a fixed version, or configure affected devices to mitigate CVE-2019-19781

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right