CVE-2019-19781 Explained: Citrix ADC and Gateway Path Traversal RCE
A CVSS 9.8 pre-authentication path traversal in Citrix ADC and Gateway — dubbed 'Shitrix' — that enabled unauthenticated RCE on tens of thousands of enterprise VPN gateways before patches were available.
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway — the network perimeter devices that serve as VPN gateways and application proxies for thousands of enterprise and government organizations. Disclosed December 17, 2019, with a CVSS score of 9.8, it was immediately nicknamed "Shitrix" in the security community. Citrix did not release patches until January–February 2020, leaving a weeks-long window during which any internet-reachable Citrix device was exploitable with a single crafted HTTP request.
Exploitation began in January 2020. CISA issued an emergency directive ordering all US federal agencies to disconnect or mitigate vulnerable Citrix devices within five days. Nation-state actors attributed to Iran, China, and Russia were confirmed using CVE-2019-19781 for initial access to government and enterprise targets. Ransomware operators used it to plant persistence ahead of deployment campaigns.
How CVE-2019-19781 Works: Path Traversal to OS Command Execution
The Citrix ADC and Gateway web portal routes HTTP requests to internal scripts and resources. Certain URL paths intended for internal use fail to enforce authentication before processing. By injecting path traversal sequences into the URL, an unauthenticated attacker can reach Perl scripts outside the web root that are accessible to the management portal.
The exploit runs in two stages. First, the attacker sends a POST request to a traversal path that writes a Perl or shell payload to a temporary location on the appliance filesystem. Second, a GET request to a separate vulnerable path triggers execution of the dropped payload. The payload runs as the NetScaler process user — effectively root. This two-step write-then-execute chain was published as working proof-of-concept code within two weeks of the advisory, before patches existed for most affected versions.
Identify exposed Citrix appliances
Scan for Citrix ADC and Gateway login portals. The portal is distinctive and indexed by Shodan. Approximately 80,000 organizations had internet-exposed Citrix appliances at the time of disclosure.
Write payload via path traversal POST
Send an unauthenticated HTTP POST request with traversal sequences in the URL path, delivering a Perl or shell payload that is written to a world-writable temporary directory on the appliance filesystem.
Trigger payload execution
Send a second crafted HTTP GET request referencing the dropped payload via another vulnerable unauthenticated path, causing the Citrix management process to execute the script with elevated privileges.
Establish persistence
Drop a web shell or reverse shell to maintain access. Extract SSL private keys, VPN credentials, and session data from the appliance filesystem for further exploitation.
Pivot to internal network
Use the compromised VPN gateway as a launchpad for internal reconnaissance. The device has routing access to all internal segments the VPN serves — typically the full corporate internal network.
Who Exploited CVE-2019-19781 and How
CISA confirmed that Iranian nation-state actors (Fox Kitten / Phosphorus) were among the first to exploit CVE-2019-19781 at scale, targeting US government agencies, defense contractors, and critical infrastructure organizations for persistent access. Chinese and Russian APT groups were also confirmed exploiting the vulnerability. Ransomware operators used the initial access to plant persistence — web shells and backdoor accounts — that they later activated for ransomware deployment.
The exploitation window before patches arrived was particularly damaging because automated scanners could extract configuration data, session tokens, and credentials from thousands of devices simultaneously. Credentials harvested during this period remained valid long after devices were patched, enabling continued unauthorized access through the legitimate VPN infrastructure.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2019-19781 and urges users and administrators to apply the available mitigation immediately.”
— CISA Emergency Directive 20-02, January 2020
Patching and Fully Remediating CVE-2019-19781
Citrix released patches in January–February 2020. If any device ran vulnerable firmware in an internet-accessible state, the remediation has three mandatory components: patch, credential rotation, and compromise investigation.
Upgrade firmware to patched versions
Apply the patch for your version: 13.0 → 13.0-58.32 or later, 12.1 → 12.1-55.18 or later, 12.0 → 12.0-63.21 or later, 11.1 → 11.1-64.14 or later, 10.5 → 10.5-70.18 or later. Verify via the CLI with the show version command.
Rotate all VPN credentials and SSL certificates
Patching prevents future exploitation but does not invalidate credentials and keys already extracted. Require all VPN users to change passwords. Revoke and reissue all SSL certificates on the appliance. This step is non-negotiable.
Restrict management interface access
The Citrix management NSIP should never be internet-accessible. Apply firewall rules restricting management access to a dedicated management VLAN with IP allowlisting. This eliminates remote exploitation regardless of firmware vulnerability state.
Search for indicators of compromise
Check /var/log/ns.log for unusual script engine invocations. Search /netscaler/ns_gui/vpns/ and /var/tmp/ for unexpected Perl or shell scripts. Run Citrix's published IOC scanner against the appliance filesystem.
Apply Citrix interim responder policy if patching is delayed
Citrix published a responder policy configuration that blocks path traversal patterns at the URL routing layer. Apply it via the CLI as a bridge measure only — it is not a substitute for firmware upgrade.
The bottom line
CVE-2019-19781 demonstrated the cascading risk of network perimeter devices with unpatched pre-authentication vulnerabilities. Citrix ADC and Gateway are trusted more than most servers — they sit at the edge, handle SSL termination, and have routing access to the entire internal network. A single unauthenticated HTTP request to a vulnerable appliance produced complete device compromise with access to all SSL keys and all connected internal segments.
The multi-week patch gap made the exposure window uniquely damaging. But the longer lesson is that patching a credential-exposing vulnerability without rotating those credentials leaves the breach ongoing. Organizations that upgraded their Citrix firmware but never rotated VPN credentials discovered this when ransomware operators used months-old harvested credentials for initial access — long after the vulnerability was closed.
Frequently asked questions
What is CVE-2019-19781?
CVE-2019-19781 is a CVSS 9.8 pre-authentication path traversal in Citrix ADC and Citrix Gateway. An unauthenticated attacker sends a crafted URL that traverses outside the web root and executes arbitrary OS commands on the appliance — no credentials or prior session required.
How serious is CVE-2019-19781?
Extremely serious. It allows unauthenticated RCE on a device that controls all remote access to the internal network. Roughly 80,000 organizations ran vulnerable firmware. Nation-state groups and ransomware operators both exploited it at scale before patches were available.
Was CVE-2019-19781 exploited before patches were released?
Yes. Citrix disclosed the vulnerability December 17, 2019 but did not release patches until January–February 2020. Mass exploitation began in early January 2020 — giving threat actors a multi-week window with no available fix.
How do I patch CVE-2019-19781?
Upgrade Citrix ADC/Gateway firmware: 13.0 to 13.0-58.32+, 12.1 to 12.1-55.18+, 12.0 to 12.0-63.21+, 11.1 to 11.1-64.14+, 10.5 to 10.5-70.18+. After patching, rotate all VPN credentials and SSL certificates — patching does not invalidate secrets already extracted.
Is CVE-2019-19781 still relevant today?
Any device running pre-patch firmware remains vulnerable. Additionally, credentials and SSL private keys exfiltrated during the exploitation window remain valid unless rotated. Organizations should treat any device that ran vulnerable firmware without confirmed IOC investigation as potentially compromised.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.