Citrix patches Critical vulnerability exploited in the wild (updated)

Citrix patches Critical vulnerability exploited in the wild

Citrix has made available a new permanent fix for a critical vulnerability CVE-2019-19781 in affected versions of Citrix SD-WAN WANOP. The update comes nearly five days after Citrix provided firmware updates for the same vulnerability in Application Delivery Controller (ADC) and Citrix Gateway products. An unathenticated attacker could exploit the vulnerability and execute arbitrary code.

As previously promised, Citrix provided the new patch for Citrix SD-WAN WANOP on Friday, January 24, 2020. The fixes are available here.

Citrix previously announced security updates for ADC and Gateway products on January 19, 2020, nearly a week after UK’s National Cyber Security Centre confirmed active exploits of the Citrix vulnerability CVE-2019-19781.

Citrix originally released details on the vulnerability on December 17, 2019, but had no patch available for download. As a result, security experts soon thereafter widely reported about exploits in the wild since early this month.

Citrix published the new patches for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 to fix CVE-2019-19781.

“We urge customers to immediately install these fixes,” said Fermin J. Serna, Chief Information Security Officer of Citrix in a blog post.

Upgrade guides are also available via the Citrix download pages.

Also check out CERT Coordination Center (CERT/CC) security advisory for additional details on the threat.

Update (January 25, 2020): This post was originally published on January 20, 2020, but has been amended to include new security updates from Citrix made available on January 24, 2020.