ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Citrix ADC and Gateway Scan - CVE-2019-19781

Risk Factors

An attacker with internet access to a Citrix ADC or Gateway device can easily scan the device for known vulnerabilities. The attacker is able to collect configuration information from the scanned device and learn whether the device is vulnerable to remote code execution (RCE).

Kill Chain

Exploitation

Risk Score

75

Detection diagram
Next in Exploitation: Citrix NetScaler ADC and NetScaler Gateway Exploit - CVE-2023-4966

Attack Background

Several Citrix products contain a vulnerability that enables an attacker to traverse restricted directory paths and remotely run arbitrary code on the device. Before launching a full attack, the attacker scans the target by attempting to access the smb.conf file to confirm if the vulnerability exists. The attacker tests to see whether the path https://../vpn/js/../../vpns/cfg/smb.conf can be traversed without receiving access denied errors. If successful, the attacker can access configuration data from other files, and potentially upload and run scripts from this directory.

Mitigation Options

Upgrade to a fixed version, or configure affected devices to mitigate CVE-2019-1978

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right