By Edmund Brumaghin, with contributions from Dalton Schaadt.

Executive Summary
Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781. A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.

This vulnerability, which is a directory traversal vulnerability, affects multiple versions of these products. Since the public disclosure of this vulnerability, several proof-of-concept (PoC) tools have been publicly released that can be used by adversaries to scan for vulnerable systems and attempt to exploit the vulnerable condition to achieve remote code execution. There have been multiple public reports of mass-scanning and exploitation activity already being observed in the wild. As such, it is important that organizations are aware of this vulnerability and take steps to ensure that they mitigate the risk of attacks against their environment.

Talos coverage for CVE-2019-19781
Talos has developed and released coverage for this vulnerability in the form of Snort and Firepower signatures. These signatures have been available since Dec. 24, 2019 and can be leveraged by organizations to protect their affected systems from possible exploitation attempts until an official patch is publicly released.

Snort SIDs: 52512, 52513, 52603