CVE-2019-19781

critical

Description

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

References

https://www.kb.cert.org/vuls/id/619785

https://forms.gle/eDf3DXZAv96oosfj6

http://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html

http://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html

http://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html

http://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html

http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

https://www.tenable.com/cyber-exposure/a-look-inside-the-ransomware-ecosystem

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a

https://www.tenable.com/cyber-exposure/2021-threat-landscape-retrospective

https://web.archive.org/web/20211025233339/https://twitter.com/pancak3lullz/status/1452679527197560837

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a

https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a

https://www.bleepingcomputer.com/news/security/citrix-releases-final-patch-as-ransomware-attacks-ramp-up/

https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

https://www.mandiant.com/resources/blog/nice-try-501-ransomware-not-implemented

https://www.tenable.com/blog/cve-2025-7775-citrix-netscaler-adc-and-netscaler-gateway-zero-day-remote-code-execution

https://www.tenable.com/blog/frequently-asked-questions-about-iranian-cyber-operations

https://www.tenable.com/blog/from-bugs-to-breaches-25-significant-cves-as-mitre-cve-turns-25

https://www.tenable.com/blog/aa24-241a-joint-cybersecurity-advisory-on-iran-based-cyber-actors-targeting-us-organizations

https://www.tenable.com/blog/cve-2023-4966-citrix-netscaler-adc-and-netscaler-gateway-information-disclosure-exploited-in

https://www.tenable.com/blog/aa23-215a-2022s-top-routinely-exploited-vulnerabilities

https://www.tenable.com/blog/cve-2023-3519-critical-rce-in-netscaler-adc-citrix-adc-and-netscaler-gateway-citrix-gateway

https://www.tenable.com/blog/cisa-top-20-cves-exploited-peoples-republic-of-china-state-sponsored-actors-aa22-279a

https://www.tenable.com/blog/government-advisories-warn-of-apt-activity-resulting-from-russian-invasion-of-ukraine

https://www.tenable.com/blog/examining-the-treat-landscape

https://www.tenable.com/blog/one-year-later-what-can-we-learn-from-zerologon

https://www.tenable.com/blog/healthcare-security-ransomware-plays-a-prominent-role-in-covid-19-era-breaches

https://www.tenable.com/blog/cve-2021-21972-vmware-vcenter-server-remote-code-execution-vulnerability

https://www.tenable.com/blog/government-agencies-warn-of-state-sponsored-actors-exploiting-publicly-known-vulnerabilities

https://www.tenable.com/blog/cve-2020-5135-critical-sonicwall-vpn-portal-stack-based-buffer-overflow-vulnerability

https://www.tenable.com/blog/us-cybersecurity-agency-cisa-alert-foreign-threat-actors-target-unpatched-vulnerabilities

https://www.tenable.com/blog/cve-2019-19781-critical-vulnerability-in-citrix-adc-and-gateway-sees-active-exploitation-while

https://www.tenable.com/blog/cve-2020-3452-cisco-adaptive-security-appliance-and-firepower-threat-defense-path-traversal

https://www.tenable.com/blog/cve-2020-2021-palo-alto-networks-pan-os-vulnerable-to-critical-authentication-bypass

https://www.tenable.com/blog/critical-vulnerabilities-you-need-to-find-and-fix-to-protect-the-remote-workforce

https://www.tenable.com/blog/how-covid-19-response-is-expanding-the-cyberattack-surface

https://www.tenable.com/blog/cve-2019-19781-unauthenticated-remote-code-execution-vulnerability-in-citrix-adcs-and-gateways

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19781

https://twitter.com/bad_packets/status/1215431625766424576

https://support.citrix.com/article/CTX267027

https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

Details

Source: Mitre, NVD

Published: 2019-12-27

Updated: 2025-11-07

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.94442

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Concern