CVE-2019-12991 Citrix CVE debrief

Who should care

Administrators and security teams responsible for Citrix SD-WAN and NetScaler deployments, especially systems that are externally reachable or otherwise exposed to untrusted users.

Technical summary

Public records identify this issue as a command injection vulnerability in Citrix SD-WAN and NetScaler. CISA’s KEV catalog inclusion indicates there is evidence of exploitation in the wild. The available source corpus does not provide version ranges, attack prerequisites, or exploit details, so defenders should rely on Citrix remediation guidance and CISA KEV prioritization.

Defensive priority

High

Recommended defensive actions

• Identify all Citrix SD-WAN and NetScaler assets in your environment, including any internet-facing instances.
• Apply vendor updates or mitigations exactly as directed by Citrix and CISA.
• Treat KEV-listed remediation as urgent and track completion against the CISA due date of 2022-04-15.
• Review access controls and network exposure for these systems until remediation is complete.
• Monitor relevant logs and alerts for suspicious command execution or unauthorized administrative activity.

Evidence notes

This debrief is based on the CISA Known Exploited Vulnerabilities catalog entry for CVE-2019-12991 and the linked official references. The source item records vendorProject=Citrix, product=SD-WAN and NetScaler, vulnerabilityName='Citrix SD-WAN and NetScaler Command Injection Vulnerability', dateAdded=2022-03-25, dueDate=2022-04-15, and requiredAction='Apply updates per vendor instructions.' No additional technical details were supplied in the corpus.

Official resources