Critical Citrix ADC Remote Code Execution Threat Intel Advisory

October 1, 2020
min read

Citrix ADC (formerly known as NetScaler ADC) family of gateways use NetScaler Packet Processing Engine (NSPPE) to deliver incoming HTTPS requests to concerned services (like HTTP server) running in a network. Services running on Citrix ADC/ NetScaler configuration have vulnerable Perl script handlers that can be exploited using Perl Template Toolkit to obtain RCE. This Template Toolkit is a subsystem for Perl. It is quite similar to other templating libraries in other languages. This allows for inline code to be embedded in documents to make runtime-generated content easier to manage.

NetScaler Packet Processing Engine (NSPPE) contains a bug in the process of parsing file paths in the requests, enabling the attacker to access any file the target service has rights to access to. It further grants access to the vulnerable Perl script handler. This then allows the attacker to craft malicious requests to trigger RCE.

The complete exploit chain requires two HTTPS requests to achieve command execution. The first request establishes the crafted template, and the second invokes the command when the template is processed.[/vc_wp_text][vc_wp_text]

Impact Analysis 


  • RCE enables the attacker to gain complete control of the target server.
  • Compromised system can be used to further the attack deep into the internal network.
  • Ransomware gangs heavily rely on CVE-2019-19781 to compromise organizations
  • APT groups use CVE-2019-19781 in their exploit kits
  • SMBs (Small Medium Businesses) fall prey to data breaches and ransomware attacks caused by fragile cyber security measures.
  • Ransomware gangs targeting businesses make use of VPN exploits to gain a foothold in the network.
  • A breach or an attack will trim the operations of a company due to the containment process done as a part of incident response measures.
  • Companies cannot simply afford a data loss, since everything is tied to data nowadays.
  • Loss of reputation and goodwill are the aftermath of a cyber attack
  • Offensive cyber operations now have the ability to influence the value of stocks, shares or equities of a company.


Installing the patch released by the vendor addresses the flaw:

No items found.