<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">



Read or download all Datashield news, reviews, content, and more.


All Posts

Citrix Vulnerability Mitigation (CVE-2019-19781)


This post is an informational announcement detailing the Citrix NetScaler Vulnerability and what Datashield is doing to help our customers detect and mitigate the issue.

Since the announcement of the vulnerability in Citrix devices (CVE-2019-19781) Datashield has performed extensive analysis and research on exploit attempts, attack patterns, and the latest intelligence. Citrix released security bulletin CTX267027 containing information on a vulnerability in various Citrix Products. This allows an unauthenticated attack that allows remote code execution.


It is currently difficult to determine the exact origin of an attack against Citrix devices using the CVE-2019-19781 vulnerability.  Attacks are encrypted and are therefore difficult to detect without packet capture with decryption solutions, making traditional web attack detection methods less useful and reliable.  The best method for detection of this type of attack is to monitor for unexpected connections from Citrix devices to out-of-country IPs.  For those with global operations, whitelisting certain IPs or IP ranges may be necessary.  

C2 traffic typically consists of payload retrieval that contains a shell, script, or other backdoor.  This is often observed in plaintext and is the most readily identifiable indication of an attack.



No official patch is currently available, although Citrix mitigations are available for the following Citrix ADC, Citrix Gateway, NetScaler Gateway, and Citrix NetScaler ADC devices:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Some suggestions for mitigation and containment include:

Block inbound and outbound traffic to









































  • Implement Citrix’s recommendations that were provided in the communication DATASHIELD sent out Wednesday January 15th.  For your reference, the recommended Citrix mitigations are here: https://support.citrix.com/article/CTX267679
  • Pull bash history log. The path of the log should be /usr/bin/bash/bash.log.
  • Review cron jobs on the Citrix NetScalers, disable/remove suspicious cron jobs.
  • Change passwords for all users on the device(s).
  • Pull a list of running processes and terminate any confirmed suspicious/malicious processes (specifically running under the user nobody).
  • Review any files that have a file modification date on or after January 10, 2020.  While a file modification date can be manipulated to make forensic analysis harder, it’s recommended to pull and review any of these files.
  • Pull the Apache access logs
  • Review suspicious files within the directories of /netscaler/portal/templates and /var/tmp/netscaler/portal/templates.  If you identify any suspicious files and delete the file(s)/remove the malicious code.
  • Review the Apache error and notice logs for any suspicious activity
  • The Following commands will locate any successful exploit attempts against the device:
       -grep -iE 'POST.*\.pl HTTP/1\.1\" 200 ' /var/log/httpaccess.log -A 1
       -grep -iE 'GET.*\.xml HTTP/1\.1\" 200' /var/log/httpaccess.log -B 1

Post Attack Remediation:

Remediation is expected to take the form of a complete wipe and rebuild of any infected Citrix devices.

Citrix has stated a wipe tool will be available by the end of day on January 16th and will announce when it is available.  Datashield recommends applying the mitigation immediately if devices are not affected by infection.  

If they have been impacted, we recommend standing up isolated, fresh builds of the required devices with the mitigation applied, deploying the fresh builds, and then stand down the infected builds.


Topics from this Article

News, Remote Code Execution, Announcement, Press Release, Application Security, Citrix, CVE

Official Datashield account for blog content, news, announcements and more. The articles authored include a collaboration between internal staff, specifically the security operations and marketing team.

Related Posts

Lumifi Cyber Acquires Datashield to Deliver Next-Generation Managed Detection and Response

Combines AI and Machine Learning-Based Software with MDR Services to Provide Fortune 500-Grade Security to Companies of All Sizes Palm Desert, CA and Scottsdale, AZ — May 3, 2022 — Lumifi Cyber, Inc., a next-generation managed detection and response (MDR) cybersecurity software provider, today announced its acquisition of Datashield, Inc., an end-to-end cybersecurity resilience services provider, to deliver Fortune 500-grade security to companies of all sizes for an affordable monthly price.

Datashield Becomes Member of Microsoft Intelligent Security Association (MISA)

Datashield Becomes Member of Microsoft Intelligent Security Association (MISA)

The Difference Between Cybersecurity & Network Security

The Difference Between Cybersecurity & Network Security