A Core Impact module was released on January 14, 2020 to exploit an as-yet unpatched patch traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway (formerly known as NetScaler ADC & NetScaler Gateway) identified as CVE-2019-19781.
This critical vulnerability is a path traversal bug that can be exploited over the internet by an attacker. It can be exploited to remotely execute code, enabling control over devices and access to internal enterprise networks. An attacker would not have to provide authentication credentials for the device when launching an attack. Instead, a threat actor could send a boobytrapped request to the vulnerable Citrix appliance, along with the exploit code they want to execute.
It is estimated that currently, more than 80,000 Citrix implementations are vulnerable. Citrix has now published configuration changes to help users mitigate organizations from being vulnerable to these attacks. The company stated they expect fixes for versions 10.5x through 13.0x to be rolled out between January 20-31, 2020.
For a full list of exploits available within Core Impact, visit https://www.coresecurity.com/products/core-impact/recent-exploits-and-updates.