Jump to content
Welcome to our new Citrix community!

Netscaler CVE2019-19781

Recommended Posts

Hello Community,


I´m not sure, if our Netscaler MPX are effected by the CVE-2019-19781.

We have applied the MitigiationSteps with the Responderpolicy and immediately updated our Netscaler MPX to the newest Firmware.

We use a customized portaltheme.


'When I checked our MPX, with the IoC Tool from Fire-Eye, I got a disturbing result.


The Tool found some evidence of potencial compromise.

For example:


 -  MATCH: blacklisted content '/tmp/bsd'

 -  MATCH: blacklisted content '/vpn/themes/imgs/tiny.php'

 -  MATCH: blacklisted content '/vpn/themes/imgs/conn.php'

 - MATCH: incorrect file permissions

 - MATCH: blacklisted content 'pwnpzi1337'


Should I be concerned about the results.

Are the finds so serious that the MPX will be reinstalled?


Is it possible to reinstall the Citrix Netscaler MPX with a ISO and recover the last backuped config?


Thanks in advance for our support.


Link to comment
Share on other sites

Thank you for the answer.


in the directory "/var/vpn/bookmark" I found some suspicious XML-Files with non valid usernames.



After the activation of the responder policy, as recommended by Citrix in CTX267679, no further XML files are available.


I am not sure whether the presence of the XML files is a clear indication that the gateway has been compromised. During the further check, no abnormalities were found in the web server log, in the cron jobs or in the user accounts.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...