An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCitrix Application Delivery Controller
HWCitrixwszystkie wersjeCitrix Application Delivery Controller Firmware
OSCitrix10.511.112.012.113.0Citrix Gateway
HWCitrixwszystkie wersjeCitrix Gateway Firmware
OSCitrix13.0Citrix Netscaler Gateway
HWCitrixwszystkie wersjeCitrix Netscaler Gateway Firmware
OSCitrix10.511.112.012.1
CISA KEV — detailsi
- Vendori
- Citrix ↗
- Producti
- Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Required action (CISA)i
Apply updates per vendor instructions.
CISA descriptioni
Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution.
🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARE⏰CISA DEADLINE: 3 maja 2022
Tags
Path Traversal
References
Related vulnerabilities
CVE-2026-3055CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Citrix NetScaler ADC/Gateway — memory overread przez SAML IDP
CVE-2025-7775CRITICAL9.2⚠ KEVPL ✓ten sam produkt
Przepełnienie pamięci w Citrix NetScaler ADC i Gateway — RCE/DoS
CVE-2025-6543CRITICAL9.2⚠ KEVPL ✓ten sam produkt
Przepełnienie pamięci w Citrix NetScaler ADC i Gateway – RCE/DoS przez VPN
CVE-2025-5777CRITICAL9.3⚠ KEVPL ✓ten sam produkt
CitrixBleed 2 — memory overread w Citrix NetScaler ADC i Gateway
CVE-2023-4966CRITICAL9.4⚠ KEVten sam produkt
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virt...