CVE-2019-19781 Explained: Citrix ADC and Gateway Path Traversal RCE
A CVSS 9.8 pre-authentication path traversal in Citrix ADC and Gateway, dubbed 'Shitrix', that enabled unauthenticated RCE on tens of thousands of enterprise VPN gateways before patches were available.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway, the network perimeter devices that serve as VPN gateways and application proxies for thousands of enterprise and government organizations. Disclosed December 17, 2019, with a CVSS score of 9.8, it was immediately nicknamed "Shitrix" in the security community. Citrix did not release patches until January–February 2020, leaving a weeks-long window during which any internet-reachable Citrix device was exploitable with a single crafted HTTP request.
Exploitation began in January 2020. CISA issued an emergency directive ordering all US federal agencies to disconnect or mitigate vulnerable Citrix devices within five days. Nation-state actors attributed to Iran, China, and Russia were confirmed using CVE-2019-19781 for initial access to government and enterprise targets. Ransomware operators used it to plant persistence ahead of deployment campaigns.
How CVE-2019-19781 Works: Path Traversal to OS Command Execution
The Citrix ADC and Gateway web portal routes HTTP requests to internal scripts and resources. Certain URL paths intended for internal use fail to enforce authentication before processing. By injecting path traversal sequences into the URL, an unauthenticated attacker can reach Perl scripts outside the web root that are accessible to the management portal.
The exploit runs in two stages. First, the attacker sends a POST request to a traversal path that writes a Perl or shell payload to a temporary location on the appliance filesystem. Second, a GET request to a separate vulnerable path triggers execution of the dropped payload. The payload runs as the NetScaler process user, effectively root. This two-step write-then-execute chain was published as working proof-of-concept code within two weeks of the advisory, before patches existed for most affected versions.
Identify exposed Citrix appliances
Scan for Citrix ADC and Gateway login portals. The portal is distinctive and indexed by Shodan. Approximately 80,000 organizations had internet-exposed Citrix appliances at the time of disclosure.
Write payload via path traversal POST
Send an unauthenticated HTTP POST request with traversal sequences in the URL path, delivering a Perl or shell payload that is written to a world-writable temporary directory on the appliance filesystem.
Trigger payload execution
Send a second crafted HTTP GET request referencing the dropped payload via another vulnerable unauthenticated path, causing the Citrix management process to execute the script with elevated privileges.
Establish persistence
Drop a web shell or reverse shell to maintain access. Extract SSL private keys, VPN credentials, and session data from the appliance filesystem for further exploitation.
Pivot to internal network
Use the compromised VPN gateway as a launchpad for internal reconnaissance. The device has routing access to all internal segments the VPN serves, typically the full corporate internal network.
Who Exploited CVE-2019-19781 and How
CISA confirmed that Iranian nation-state actors (Fox Kitten / Phosphorus) were among the first to exploit CVE-2019-19781 at scale, targeting US government agencies, defense contractors, and critical infrastructure organizations for persistent access. Chinese and Russian APT groups were also confirmed exploiting the vulnerability. Ransomware operators used the initial access to plant persistence, web shells and backdoor accounts, that they later activated for ransomware deployment.
The exploitation window before patches arrived was particularly damaging because automated scanners could extract configuration data, session tokens, and credentials from thousands of devices simultaneously. Credentials harvested during this period remained valid long after devices were patched, enabling continued unauthorized access through the legitimate VPN infrastructure.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2019-19781 and urges users and administrators to apply the available mitigation immediately.”
CISA Emergency Directive 20-02, January 2020
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Fully Remediating CVE-2019-19781
Citrix released patches in January–February 2020. If any device ran vulnerable firmware in an internet-accessible state, the remediation has three mandatory components: patch, credential rotation, and compromise investigation.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2019-19781 demonstrated the cascading risk of network perimeter devices with unpatched pre-authentication vulnerabilities. Citrix ADC and Gateway are trusted more than most servers, they sit at the edge, handle SSL termination, and have routing access to the entire internal network. A single unauthenticated HTTP request to a vulnerable appliance produced complete device compromise with access to all SSL keys and all connected internal segments.
The multi-week patch gap made the exposure window uniquely damaging. But the longer lesson is that patching a credential-exposing vulnerability without rotating those credentials leaves the breach ongoing. Organizations that upgraded their Citrix firmware but never rotated VPN credentials discovered this when ransomware operators used months-old harvested credentials for initial access, long after the vulnerability was closed.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2019-19781?
CVE-2019-19781 is a CVSS 9.8 pre-authentication path traversal in Citrix ADC and Citrix Gateway. An unauthenticated attacker sends a crafted URL that traverses outside the web root and executes arbitrary OS commands on the appliance, no credentials or prior session required.
How serious is CVE-2019-19781?
Extremely serious. It allows unauthenticated RCE on a device that controls all remote access to the internal network. Roughly 80,000 organizations ran vulnerable firmware. Nation-state groups and ransomware operators both exploited it at scale before patches were available.
Was CVE-2019-19781 exploited before patches were released?
Yes. Citrix disclosed the vulnerability December 17, 2019 but did not release patches until January–February 2020. Mass exploitation began in early January 2020, giving threat actors a multi-week window with no available fix.
How do I patch CVE-2019-19781?
Upgrade Citrix ADC/Gateway firmware: 13.0 to 13.0-58.32+, 12.1 to 12.1-55.18+, 12.0 to 12.0-63.21+, 11.1 to 11.1-64.14+, 10.5 to 10.5-70.18+. After patching, rotate all VPN credentials and SSL certificates, patching does not invalidate secrets already extracted.
Is CVE-2019-19781 still relevant today?
Any device running pre-patch firmware remains vulnerable. Additionally, credentials and SSL private keys exfiltrated during the exploitation window remain valid unless rotated. Organizations should treat any device that ran vulnerable firmware without confirmed IOC investigation as potentially compromised.
Which threat actors exploited CVE-2019-19781?
NSA/CISA advisory AA20-020A confirmed Iranian state-sponsored actors (Phosphorus/APT33) exploited CVE-2019-19781 to target US defense contractors and government networks. Chinese APT41 and Russian GRU-linked actors also leveraged the vulnerability. Multiple ransomware groups including REvil incorporated Citrix ADC exploitation into their initial access toolkits, making it a shared capability across nation-state and criminal ecosystems.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
