CVE-2025-6759

HIGH

Citrix Virtual Apps and Desktops - Local Privilege Escalation to SYSTEM via Windows Virtual Delivery Agent

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-6759. PoCs published by olljanat.

AI-analyzed exploit summary This PoC tests the mitigation for CVE-2025-6759 by dynamically loading Citrix's exception handler DLL and verifying if registry changes take effect without requiring a restart. It demonstrates the behavior of the exception handler in Citrix Virtual Apps and Desktops.

Description

Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Windows Virtual Delivery Agent for CVAD and Citrix DaaS

Exploits (1)

nomisec WORKING POC 1 stars

by olljanat · poc

https://github.com/olljanat/TestCitrixException

View Code ZIP pw:eip

This PoC tests the mitigation for CVE-2025-6759 by dynamically loading Citrix's exception handler DLL and verifying if registry changes take effect without requiring a restart. It demonstrates the behavior of the exception handler in Citrix Virtual Apps and Desktops.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Citrix Virtual Apps and Desktops (CVE-2025-6759)

No auth needed

Prerequisites: Access to a Citrix VDA server · Citrix ExceptionHandler DLL present

MITRE ATT&CK

T1562.001 - Disable or Modify Tools

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694820

Scores

CVSS v3 7.8

EPSS 0.0024

EPSS Percentile 15.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (2)

citrix/virtual_apps_and_desktops 2402 (3 CPE variants)

citrix/virtual_apps_and_desktops < 2503

Published Jul 08, 2025

Tracked Since Feb 18, 2026