A new vulnerability has been discovered in Citrix ADC (Application Delivery Controller) and Citrix Gateway that allows the remote execution of commands in just two HTTP requests to a directory traversal bug in the implementation of the gateway's Web interface. This flaw could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027 , beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781. A permanent patch is not expected until between January 20 and January 31. As of January 12, over 25,000 servers remain vulnerable . Ingalls encourages clients and partners to review Citrix’s published steps to reduce the risk of the exploit .