What a start to the new year 2020, or Christmas for that fact, when the Vulnerability CVE-2019-19781 was discovered, opening a backdoor into the netscaler /ADC. At first, Citrix released a workaround to apply a responder policy to block any hacking attempt and then a patch was released on the 19th January for ADC versions 11.0 and 12.0 and later on the 23rd they patch releases for 12.1 and 13x. At our firm and using NMAS or ADC we were able to fun the responded policy and run firmware upgrades in just a couple of hours globally.

Detection: You will need to run

Perform a GET request to: https://{host}/vpn/../vpns/

If you get a 200 OK, This is bad and your open.

Check response for “You don’t have permission to access /vpns/” or 403

To detect a compromise on SSL VPN configurations, review Citrix web request logs for:

  • HTTP log messages starting with “/vpn/../” containing directory traversal attacks such as “/vpn/../vpns/portal/scripts/newbm.pl” or “/vpn/../vpns/cfg/smb.conf” or “/vpn/../vpns/portal/scripts/newbm.pl”
  • A direct request logged to “/vpns/” without the xml specified
  • A POST followed by a GET to an XML file

The Responder policy

add responder action respondwith403 respondwith “\”HTTP/1.1 403 Forbidden\r\n\r\n\””

add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/vpns/\”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/../\”))” respondwith403

bind responder global ctx267027 1 END -type REQ_OVERRIDE

Firmware Patch:

In order to fix the issue, you will need to apply the following firmware updates:

VersionRefresh BuildRelease Date
10.510.5.70.1224th January 2020 January 2020 January 2020 January 2020 January 2020


Citrix released a verifcation tool which you can use to test your enviroment: https://support.citrix.com/article/CTX269180

Other Venders offer the service for a fee.

More information: