Threats / Citrix / CVE-2019-19781
CVE-2019-19781
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-16
Citrix Application Delivery Controller (ADC), Gateway, and S vulnerability
Citrix ADC, Gateway, and SD-WAN WANOP appliances contain a path traversal vulnerability allowing unauthenticated remote code execution. Actively exploited in ransomware campaigns.
Verdict
Today item, not a backlog item.
Critical remote code execution vulnerability in widely-deployed Citrix infrastructure products. Unauthenticated exploitation, high EPSS score, and confirmed active exploitation in ransomware operations indicate immediate threat to organizations running affected versions.
CISA KEV Yes · 2021-11-033Ransomware use Flagged3EPSS 0.99999 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
843 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99999 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Citrix, Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-22 Path Traversal — weakness family: Path traversal / file.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I identify a Citrix ADC, Gateway, or SD-WAN WANOP appliance exposed on the network perimeter.
Business
Perimeter security controls fail to prevent reconnaissance of critical infrastructure entry points.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft a request exploiting the path traversal flaw to bypass authentication and access restricted functionality.
Business
Authentication mechanisms are circumvented, eliminating a primary security boundary.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary code on the appliance with system privileges, establishing persistent access.
Business
Attackers gain control of infrastructure handling sensitive traffic and user sessions.
4
Data at risk — exfiltration narrative 4
Attacker
I deploy ransomware or lateral movement tools to compromise internal networks and data stores.
Business
Operations halt, data is encrypted or exfiltrated, and recovery costs escalate rapidly.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05
Coverage & confidence
— what we know, and what we don’tEstablished (cited)
Coverage gaps — stated, not hidden
Disclosure & credit2
Catalogued by mitreCNA
Credited with finding itNo finder named in the public CVE record — the work behind this find is unattributed.