Critical Citrix ADC Remote Code Execution Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Citrix ADC RCE vulnerability tracked as CVE-2019-19781, rated as critical with a CVSS score of 9.8
Updated on
April 19, 2023
Published on
September 30, 2020
Subscribe to the latest industry news, threats and resources.
Citrix ADC (formerly known as NetScaler ADC) family of gateways use NetScaler Packet Processing Engine (NSPPE) to deliver incoming HTTPS requests to concerned services (like HTTP server) running in a network. Services running on Citrix ADC/ NetScaler configuration have vulnerable Perl script handlers that can be exploited using Perl Template Toolkit to obtain RCE. This Template Toolkit is a subsystem for Perl. It is quite similar to other templating libraries in other languages. This allows for inline code to be embedded in documents to make runtime-generated content easier to manage. NetScaler Packet Processing Engine (NSPPE) contains a bug in the process of parsing file paths in the requests, enabling the attacker to access any file the target service has rights to access to. It further grants access to the vulnerable Perl script handler. This then allows the attacker to craft malicious requests to trigger RCE. The complete exploit chain requires two HTTPS requests to achieve command execution. The first request establishes the crafted template, and the second invokes the command when the template is processed.[/vc_wp_text][vc_wp_text]

Impact Analysis 

  • RCE enables the attacker to gain complete control of the target server.
  • Compromised system can be used to further the attack deep into the internal network.
  • Ransomware gangs heavily rely on CVE-2019-19781 to compromise organizations
  • APT groups use CVE-2019-19781 in their exploit kits
  • SMBs (Small Medium Businesses) fall prey to data breaches and ransomware attacks caused by fragile cyber security measures.
  • Ransomware gangs targeting businesses make use of VPN exploits to gain a foothold in the network.
  • A breach or an attack will trim the operations of a company due to the containment process done as a part of incident response measures.
  • Companies cannot simply afford a data loss, since everything is tied to data nowadays.
  • Loss of reputation and goodwill are the aftermath of a cyber attack
  • Offensive cyber operations now have the ability to influence the value of stocks, shares or equities of a company.


Installing the patch released by the vendor addresses the flaw:

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations