Citrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, when making changes to the server-side policy that control USB redirection, does not propagate changes to the VDA, which allows authenticated users to retain access to the USB device.
http://secunia.com/advisories/51524
https://exchange.xforce.ibmcloud.com/vulnerabilities/80626