CVE-2019-19781

CRITICAL KEV RANSOMWARE NUCLEI

Citrix ADC (NetScaler) Directory Traversal Scanner

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2019-19781 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 51 public exploits from researchers including Dhiraj Mishra, mekhalleh, Project Zero India, including a Metasploit module auxiliary/scanner/http/citrix_dir_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This NSE script checks for CVE-2019-19781, a path traversal vulnerability in Citrix ADC and Gateway. It sends an HTTP request to a specific path and checks the response for indicators of vulnerability.

Description

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Exploits (51)

exploitdb SCANNER
by Dhiraj Mishra · textwebappsmultiple
https://www.exploit-db.com/exploits/47930

This NSE script checks for CVE-2019-19781, a path traversal vulnerability in Citrix ADC and Gateway. It sends an HTTP request to a specific path and checks the response for indicators of vulnerability.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by mekhalleh · rubywebappsmultiple
https://www.exploit-db.com/exploits/47913

This Metasploit module exploits a directory traversal vulnerability in Citrix ADC and Gateway to achieve remote code execution via template injection. It sends a crafted POST request to create a malicious template file, then triggers its execution via a GET request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0
No auth needed
Prerequisites: Network access to the target's management interface (typically port 443)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Project Zero India · bashwebappsmultiple
https://www.exploit-db.com/exploits/47901

This script exploits CVE-2019-19781, a directory traversal vulnerability in Citrix ADC and Gateway, to achieve remote code execution by injecting a command into a template file and retrieving the output.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller and Citrix Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: vulnerable Citrix ADC or Gateway instance · network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 576 stars
by trustedsec · remote
https://github.com/trustedsec/cve-2019-19781

This repository contains a functional exploit (citrixmash.py) for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC (NetScaler) leading to unauthenticated remote code execution. It also includes a scanner (cve-2019-19781_scanner.py) to detect vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler) versions affected by CVE-2019-19781
No auth needed
Prerequisites: Network access to the target Citrix ADC/NetScaler · A listener (e.g., netcat) to catch the reverse shell
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 370 stars
by projectzeroindia · remote
https://github.com/projectzeroindia/CVE-2019-19781

This repository contains a functional bash script that exploits CVE-2019-19781, a remote code execution vulnerability in Citrix Application Delivery Controller and Citrix Gateway. The exploit leverages directory traversal and template injection to execute arbitrary commands on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller, Citrix Gateway
No auth needed
Prerequisites: Vulnerable Citrix ADC or Gateway instance · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 159 stars
by mpgn · remote
https://github.com/mpgn/CVE-2019-19781

The repository contains a functional Python exploit for CVE-2019-19781, which allows unauthenticated remote code execution on Citrix ADC and Gateway devices. The exploit leverages directory traversal and template injection to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller (ADC) and Citrix Gateway (versions 13.0, 12.1, 12.0, 11.1, 10.5)
No auth needed
Prerequisites: Network access to the target Citrix ADC/Gateway device
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 118 stars
by MalwareTech · poc
https://github.com/MalwareTech/CitrixHoneypot

This repository contains a honeypot designed to detect and log scan and exploitation attempts for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC. It emulates a vulnerable server to capture and analyze malicious requests.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler ADC and Gateway)
No auth needed
Prerequisites: Python 3 · OpenSSL for SSL certificate generation
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 109 stars
by cisagov · infoleak
https://github.com/cisagov/check-cve-2019-19781

This repository contains a Python-based scanner tool developed by CISA to detect the presence of CVE-2019-19781, a vulnerability in Citrix ADC and Gateway. The tool checks for indicators of the vulnerability but does not include exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the target Citrix ADC/Gateway
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 94 stars
by mandiant · poc
https://github.com/mandiant/ioc-scanner-CVE-2019-19781

This repository contains a forensic scanner developed by FireEye Mandiant and Citrix to detect indicators of compromise (IoCs) related to CVE-2019-19781. It analyzes logs, file system paths, shell history, and other artifacts for signs of exploitation but does not include exploit code.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC, Gateway, and SD-WAN WANOP (versions 10.5, 11.1, 12.0, 12.1, 13.0)
No auth needed
Prerequisites: Access to the target system (live or forensic image) · Bash environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 84 stars
by jas502n · remote
https://github.com/jas502n/CVE-2019-19781

This repository contains a functional Python exploit for CVE-2019-19781, a remote code execution vulnerability in Citrix Application Delivery Controller and Citrix Gateway. The exploit leverages a directory traversal and XML external entity injection to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller, Citrix Gateway
No auth needed
Prerequisites: Network access to the target system · Target system running vulnerable Citrix ADC or Gateway software
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 58 stars
by citrix · poc
https://github.com/citrix/ioc-scanner-CVE-2019-19781

This repository contains a forensic scanner developed by FireEye Mandiant and Citrix to detect indicators of compromise (IoCs) related to CVE-2019-19781 on Citrix ADC/Gateway appliances. It includes scripts to analyze logs, file system paths, shell history, crontab entries, and other artifacts for signs of exploitation.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC, Gateway, and SD-WAN WANOP (versions 10.5, 11.1, 12.0, 12.1, 13.0)
No auth needed
Prerequisites: Access to the Citrix appliance (live or forensic image) · Bash environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 11 stars
by aqhmal · infoleak
https://github.com/aqhmal/CVE-2019-19781

This repository contains a Python script that scans for Citrix ADC systems vulnerable to CVE-2019-19781 by querying Shodan API and checking for the presence of a specific file path. It does not exploit the vulnerability but detects potential targets.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (formerly NetScaler ADC)
No auth needed
Prerequisites: Shodan API key · Internet access
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 10 stars
by w4fz5uck5 · remote
https://github.com/w4fz5uck5/CVE-2019-19781-CitrixRCE

This repository contains a functional Python exploit for CVE-2019-19781, a directory traversal and template injection vulnerability in Citrix ADC/Netscaler. The exploit sends crafted HTTP requests to achieve unauthenticated remote code execution by leveraging template injection in the VPN portal.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC/Netscaler (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the target Citrix ADC/Netscaler · Vulnerable version of Citrix ADC/Netscaler
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 7 stars
by VladRico · remote
https://github.com/VladRico/CVE-2019-19781

This repository contains a functional exploit for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC Netscaler that allows remote code execution. The exploit crafts malicious HTTP requests to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC Netscaler (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Target must be vulnerable to CVE-2019-19781 · Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 7 stars
by ianxtianxt · remote
https://github.com/ianxtianxt/CVE-2019-19781

This repository contains a functional exploit script for CVE-2019-19781, a remote code execution vulnerability in Citrix Application Delivery Controller and Citrix Gateway. The script crafts a malicious HTTP request to execute arbitrary commands on the target system by exploiting a directory traversal and template injection flaw.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller, Citrix Gateway
No auth needed
Prerequisites: Target system must be vulnerable to CVE-2019-19781 · Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 4 stars
by onSec-fr · poc
https://github.com/onSec-fr/CVE-2019-19781-Forensic

This repository provides a forensic script to detect traces of successful CVE-2019-19781 exploits on Citrix systems. It scans for XML template files, command execution traces, process listings, crontab entries, and web logs indicative of exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix Gateway (NetScaler ADC)
Auth required
Prerequisites: Access to Citrix Gateway with high-privileged account (e.g., nsroot) · Bash environment on the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 4 stars
by unknowndevice64 · poc
https://github.com/unknowndevice64/Exploits_CVE-2019-19781

This repository contains a functional exploit script for CVE-2019-19781, a remote code execution vulnerability in Citrix Application Delivery Controller and Gateway. The script leverages a directory traversal and command injection flaw to execute arbitrary commands on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Vulnerable Citrix ADC or Gateway instance · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS 3 stars
by k-fire · poc
https://github.com/k-fire/CVE-2019-19781-exploit

The repository contains minimal content with no actual exploit code, only a link to an external blog post and an image. This is characteristic of a social engineering lure rather than a legitimate PoC.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 3 stars
by j81blog · poc
https://github.com/j81blog/ADC-19781

This repository provides PowerShell modules to detect if a Citrix ADC/NetScaler appliance is vulnerable to CVE-2019-19781 and to check if mitigations are in place. It includes functions for checking exploitation indicators and mitigation status.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC/NetScaler
Auth required
Prerequisites: Access to Citrix ADC/NetScaler management interface · Valid credentials for authentication
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 2 stars
by DanielWep · poc
https://github.com/DanielWep/CVE-NetScalerFileSystemCheck

This repository contains scripts to detect signs of compromise related to CVE-2019-19781 on Citrix NetScaler appliances. It checks for indicators such as malicious XML files, suspicious log entries, and unauthorized processes, but does not exploit the vulnerability.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix NetScaler (CVE-2019-19781)
Auth required
Prerequisites: Valid credentials for the NetScaler appliance · Access to the target system (SSH or local execution)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 2 stars
by andripwn · infoleak
https://github.com/andripwn/CVE-2019-19781

This repository contains a Python script that scans for Citrix ADC systems vulnerable to CVE-2019-19781 by querying Shodan API and checking for the presence of a specific file path. It does not exploit the vulnerability but detects potentially vulnerable systems.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC (formerly NetScaler ADC)
No auth needed
Prerequisites: Shodan API key · Internet access
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by oways · infoleak
https://github.com/oways/CVE-2019-19781

This repository contains a functional exploit for CVE-2019-19781, a remote command execution vulnerability in Citrix ADC. The PoC leverages directory traversal and template injection to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler ADC)
No auth needed
Prerequisites: Network access to the target Citrix ADC · Vulnerable version of Citrix ADC
devstral-2 · analyzed Feb 19, 2026 Full analysis →
gitlab SCANNER 1 stars
by bontchev · poc
https://gitlab.com/bontchev/CitrixHoneypot

This repository contains a honeypot designed to detect and log exploitation attempts targeting CVE-2019-19781 in Citrix ADC. It does not include exploit code but simulates a vulnerable environment to capture malicious traffic.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler ADC)
No auth needed
Prerequisites: Python 2.7 · Twisted framework · OpenSSL for SSL certificates
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by Vulnmachines · infoleak
https://github.com/Vulnmachines/Ctirix_RCE-CVE-2019-19781

The repository contains no exploit code or technical details, only a video link and social media references. It appears to be a lure for external content rather than a legitimate PoC.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Citrix ADC
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 1 stars
by nmanzi · infoleak
https://github.com/nmanzi/webcvescanner

This repository contains a scanner for CVE-2019-19781, which checks if Citrix appliances are vulnerable to directory traversal by sending a HEAD request to a specific endpoint. It uses Shodan for discovery and GeoLite2 for geolocation data.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler ADC) and Citrix Gateway
No auth needed
Prerequisites: Shodan API key · GeoLite2 ASN and City databases
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by r4ulcl · poc
https://github.com/r4ulcl/CVE-2019-19781

This repository contains a functional Python exploit for CVE-2019-19781, a directory traversal and remote code execution vulnerability in Citrix ADC and Gateway. The exploit crafts a malicious Perl template injection payload to execute arbitrary commands on the target system and retrieves the output via a secondary request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the vulnerable Citrix ADC/Gateway instance · Python 3 environment with 'requests' library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 1 stars
by redscan · poc
https://github.com/redscan/CVE-2019-19781

This repository contains a forensic triage script designed to detect signs of compromise related to CVE-2019-19781 on Citrix ADC devices. It collects logs, suspicious files, and process information to identify potential exploitation artifacts.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (formerly NetScaler ADC)
Auth required
Prerequisites: Access to the affected Citrix ADC device · Sufficient permissions to read system logs and files
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by autocode07 · poc
https://github.com/autocode07/cisagov__check-cve-2019-19781.4142e02b

This repository contains a Python-based scanner for detecting CVE-2019-19781, a vulnerability in Citrix ADC and Gateway. The tool checks for the presence of the vulnerability but does not include exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the target Citrix ADC/Gateway
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by tpdlshdmlrkfmcla · poc
https://github.com/tpdlshdmlrkfmcla/CVE-2019-19781

This repository contains a functional Python exploit for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC and Gateway that allows remote code execution. The exploit leverages improper path validation in the `/vpns/` endpoint to inject malicious Perl template code via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions prior to fixed releases)
No auth needed
Prerequisites: Network access to vulnerable Citrix ADC/Gateway instance · Target must be unpatched for CVE-2019-19781
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by zerobytesecure · remote
https://github.com/zerobytesecure/CVE-2019-19781

This repository provides a detailed DFIR (Digital Forensics and Incident Response) guide for CVE-2019-19781, a critical vulnerability in Citrix ADC (NetScaler). It includes forensic techniques, artifact locations, and detection methods for compromised systems, but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Citrix ADC (NetScaler)
No auth needed
Prerequisites: Access to a potentially compromised Citrix ADC system · Forensic tools for disk imaging and log analysis
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by Azeemering · poc
https://github.com/Azeemering/CVE-2019-19781-DFIR-Notes

This repository provides a detailed forensic analysis and DFIR (Digital Forensics and Incident Response) notes for CVE-2019-19781, a remote pre-auth arbitrary command execution vulnerability in Citrix NetScaler. It includes scripts for log analysis, IOCs (Indicators of Compromise), and Splunk-based detection methods.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix NetScaler ADC and Gateway (versions 10.5, 11.1, 12.0, 12.1, and 13.0)
No auth needed
Prerequisites: Access to HTTP logs and system files on the affected Citrix NetScaler device · Splunk or similar log analysis tool for ingesting and querying logs
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by pwn3z · infoleak
https://github.com/pwn3z/CVE-2019-19781-Citrix

This script scans for Citrix ADC/Gateway systems vulnerable to CVE-2019-19781 by checking for the presence of the 'lmhosts' string in the smb.conf file via a path traversal request. It does not exploit the vulnerability but identifies potentially vulnerable hosts.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0
No auth needed
Prerequisites: List of target hosts in a file named 'hosts'
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by jamesjguthrie · remote
https://github.com/jamesjguthrie/Shitrix-CVE-2019-19781

This repository contains a functional exploit script for CVE-2019-19781, a remote code execution vulnerability in Citrix ADC and Gateway. The script uses a crafted HTTP request with template injection to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions 10.5, 11.1, 12.0, 12.1, and 13.0)
No auth needed
Prerequisites: curl >= 7.42.0 · Python for generating random strings and numbers
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by qiong-qi · remote
https://github.com/qiong-qi/CVE-2019-19781-poc

This repository contains a functional Python exploit for CVE-2019-19781, a directory traversal and remote code execution vulnerability in Citrix ADC and Gateway. The exploit uploads a malicious XML file via a crafted POST request and triggers command execution through template injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions 10.5, 11.1, 12.0, 12.1, and 13.0)
No auth needed
Prerequisites: Network access to the vulnerable Citrix ADC/Gateway interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by SharpHack · poc
https://github.com/SharpHack/CVE-2019-19781

This repository contains a functional bash script that exploits CVE-2019-19781, a directory traversal vulnerability in Citrix ADC and Gateway, to achieve remote code execution. The exploit crafts a malicious request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller and Citrix Gateway
No auth needed
Prerequisites: Vulnerable Citrix ADC or Gateway instance · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by yukar1z0e · remote
https://github.com/yukar1z0e/CVE-2019-19781

This repository contains a scanner for CVE-2019-19781, a path traversal vulnerability in Citrix ADC and Gateway. It checks for the presence of the vulnerability by attempting to access a specific file path and verifying the response content.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the target Citrix ADC or Gateway
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by L4r1k · poc
https://github.com/L4r1k/CitrixNetscalerAnalysis

This repository provides a Jupyter notebook for forensic analysis of Citrix Netscaler hosts compromised via CVE-2019-19781. It includes log parsing, IOC detection, and payload decoding to aid in incident response.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Netscaler ADC/Gateway
No auth needed
Prerequisites: Access to compromised Citrix Netscaler logs and payload XMLs
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by 0xams · poc
https://github.com/0xams/citrixvulncheck

The repository contains a Python script that enumerates subdomains and ASN information for a given domain to identify potential targets vulnerable to CVE-2019-19781. It does not include exploit code but rather performs reconnaissance to find vulnerable Citrix systems.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: amass · assetfinder · whois · Python 3 · requests · beautifulsoup4 · netaddr
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by EliusHHimel · poc
https://github.com/EliusHHimel/citrix-honeypot

This repository is a honeypot designed to detect and log exploitation attempts for CVE-2019-19781 (Citrix ADC/NetScaler vulnerability). It simulates a vulnerable Citrix environment to capture and log scanning and exploitation attempts, including payloads and login attempts.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler)
No auth needed
Prerequisites: Network access to the target · Ability to send HTTP/HTTPS requests to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by digitalgangst · poc
https://github.com/digitalgangst/massCitrix

This repository contains a Python script that scans for Citrix ADC/Netscaler Gateway devices vulnerable to CVE-2019-19781 by querying Shodan and checking for the presence of a specific path disclosure endpoint. It does not exploit the vulnerability but detects potentially vulnerable hosts.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC/Netscaler Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Shodan API key · Internet access to query Shodan and target hosts
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by mekhalleh · remote
https://github.com/mekhalleh/citrix_dir_traversal_rce

This repository contains a functional Metasploit module that exploits a directory traversal vulnerability in Citrix ADC (NetScaler) to achieve remote code execution. The exploit leverages improper path sanitization to access Perl scripts and inject malicious XML payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Application Delivery Controller (ADC) / NetScaler Gateway 10.5, 11.1, 12.0, 12.1, 13.0
No auth needed
Prerequisites: Network access to vulnerable Citrix ADC/NetScaler instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by b510 · remote
https://github.com/b510/CVE-2019-19781

This repository contains a Python script that scans for CVE-2019-19781, a path traversal vulnerability in Citrix ADC and Gateway. The script checks for the presence of a sensitive file (`smb.conf`) via a crafted HTTP request and logs vulnerable IPs.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: A list of target IPs or CIDR ranges in a `data.txt` file · Python 3 with `requests` and `IPy` libraries
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by Castaldio86 · poc
https://github.com/Castaldio86/Detect-CVE-2019-19781

This PowerShell script checks for CVE-2019-19781 by attempting to access a sensitive file via a path traversal vulnerability in Citrix ADC. It does not exploit the vulnerability but detects its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC (formerly NetScaler ADC)
No auth needed
Prerequisites: Network access to the target Citrix ADC
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by awesome-security · poc
https://github.com/awesome-security/citrixmash_scanner

This repository contains a multithreaded scanner for detecting Citrix appliances vulnerable to CVE-2019-19781. It uses a HEAD request to check for a specific content-length header response to reduce false positives and includes features like IDS evasion via ASCII encoding.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0
No auth needed
Prerequisites: Network access to the target Citrix appliance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by digitalshadows · poc
https://github.com/digitalshadows/CVE-2019-19781_IOCs

This repository provides Indicators of Compromise (IOCs) related to CVE-2019-19781, including IP addresses and whois results from a honeypot analysis. It references a blog post discussing the exploit but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Citrix ADC and Gateway
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by zgelici · poc
https://github.com/zgelici/CVE-2019-19781-Checker

The repository claims to check for CVE-2019-19781 but provides no actual exploit code. Instead, it directs users to an external website (citrix-checker.com) and includes generic mitigation steps without technical details about the vulnerability itself.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Citrix ADC and Gateway
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by hollerith · remote
https://github.com/hollerith/CVE-2019-19781

This repository contains a functional exploit for CVE-2019-19781, a remote code execution vulnerability in Citrix Netscaler. The exploit leverages a directory traversal and template injection flaw to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Netscaler (Citrix ADC and Gateway)
No auth needed
Prerequisites: Network access to the target system · Vulnerable Citrix Netscaler instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
vulncheck_xdb WORKING POC
infoleak
https://github.com/user20252228/CVE-2019-19781

The repository contains a functional Python exploit for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC and Gateway. The exploit leverages improper path validation in the /vpns/ endpoint to achieve remote code execution by injecting malicious templates via the newbm.pl script.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC and Gateway (versions affected by CVE-2019-19781)
No auth needed
Prerequisites: Network access to the vulnerable Citrix ADC/Gateway instance · Vulnerable endpoint (/vpn/../vpns/portal/scripts/newbm.pl) must be accessible
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit SCANNER
by Mikhail Klyuchnikov, Erik Wynter, altonjx · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/citrix_dir_traversal.rb

This Metasploit module scans for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC (NetScaler). It attempts to retrieve the smb.conf file via a crafted path and checks for the presence of a '[global]' directive to confirm vulnerability.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Citrix ADC (NetScaler)
No auth needed
Prerequisites: Network access to the target Citrix ADC (NetScaler)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mikhail Klyuchnikov, Project Zero India, TrustedSec, James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, Steven Laura, mekhalleh (RAMELLA Sébastien) · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb

This Metasploit module exploits a directory traversal vulnerability (CVE-2019-19781) in Citrix ADC (NetScaler) to achieve remote code execution by leveraging a path traversal in the `/vpn/../vpns/portal/scripts/newbm.pl` endpoint to write and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC (NetScaler) 10.5, 11.1, 12.0, 12.1, and 13.0
No auth needed
Prerequisites: Network access to the vulnerable Citrix ADC interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Citrix ADC and Gateway - Directory Traversal
CRITICALby organiccrap,geeknik

References (11)

Core 11
Core References
Vendor Advisory x_refsource_confirm
https://support.citrix.com/article/CTX267027
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/619785
Broken Link, Third Party Advisory x_refsource_misc
https://twitter.com/bad_packets/status/1215431625766424576
Third Party Advisory x_refsource_misc
https://forms.gle/eDf3DXZAv96oosfj6

Scores

CVSS v3 9.8
EPSS 0.9444
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-01-16
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-9380
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (10)
citrix/application_delivery_controller_firmware 10.5
citrix/application_delivery_controller_firmware 11.1
citrix/application_delivery_controller_firmware 12.0
citrix/application_delivery_controller_firmware 12.1
citrix/application_delivery_controller_firmware 13.0
citrix/gateway_firmware 13.0
citrix/netscaler_gateway_firmware 10.5
citrix/netscaler_gateway_firmware 11.1
citrix/netscaler_gateway_firmware 12.0
citrix/netscaler_gateway_firmware 12.1
Published Dec 27, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026