Tackling vulnerabilities to keep your business running

Citrix is committed to keeping its products and customers secure. Citrix strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Citrix has a robust Security Response Process that accepts vulnerability reports against Citrix products and services from external sources – customers and researchers alike.

The Citrix Security Response Team is a dedicated, global team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Citrix products.

In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Citrix follow our vulnerability response process:

  1. Receipt: Upon receiving a vulnerability report, Citrix will generate a unique case identifier and acknowledge receipt by the end of the next working day.
  2. Triage: Citrix will investigate vulnerabilities in Citrix products and services from the date of release until End of Life. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Citrix will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.
  3. Variant analysis: Citrix will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.
  4. Resolution: The Citrix Security Response team will work with Citrix internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Citrix will provide updates to the researcher as and when there is progress with the vulnerability handling process related to the reported vulnerability.
  5. Release: When a mitigation or software update is released, Citrix will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the course of the vulnerability handling process, Citrix identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.
  6. Post release: Citrix will monitor feedback from users and, if necessary, will update remediation and mitigation information accordingly.

For an overview of the security work and processes that are performed on the Citrix product line, consult the Cloud Software Group Secure Development Lifecycle for Citrix and NetScaler Products & Services document.

At Citrix, we are committed to ensuring the security of our customers. We follow a holistic and comprehensive approach to secure our products, services, and assets, with a formalized process for handling reported security vulnerabilities.

To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email.

Expand all
Third-party CVEs and their impact on Citrix products

Citrix uses third-party components within our products and, as part of Citrix commitment to customer security, incorporates relevant security improvements into Citrix software updates. Citrix therefore recommends customers always use the most recent release of a currently maintained version of Citrix software or firmware, to ensure they benefit from the latest security updates. Please see the Citrix product matrix for information on lifecycle of Citrix products.

If information is needed on the impact of a CVE on a Citrix product or service, please raise a support request through your normal Citrix support channel. Please include the Common Vulnerabilities and Exposures (CVE) reference (https://nvd.nist.gov) or the relevant security bulletin article number when submitting the request.

Security bulletins

Citrix publishes security bulletins to provide remediation information about security vulnerabilities in customer-managed Citrix products which have been reported to Citrix through the vulnerability response program. Citrix may also publish a security bulletin to inform customers of other events affecting Citrix products, for example, if a critical third-party CVE impacts a Citrix product or a dedicated hotfix is released to address a vulnerability.

Citrix will usually publish a security bulletin once software patches or workarounds exist in all versions of a product that have not yet reached End of Maintenance. In limited circumstances, including where Citrix has observed active exploitation of a vulnerability or where public awareness of a vulnerability could lead to increased risk for Citrix customers, a security bulletin may be published before a complete set of patches or workarounds have been released so that we may alert customers and provide advice on how to mitigate the associated risks. In order to help customers plan to perform any applicable updates, Citrix typically publishes security bulletins on the second Tuesday of a month but may choose to publish or update an article on a different day if we believe it’s in the best interest of our customers to do so.

Citrix classifies security bulletins as Critical, High, Medium, Low, or Informational according to the risk that Citrix determines a vulnerability represents to our customers. Citrix will calculate the risk of a vulnerability considering the CVSS method, but may modify scoring to reflect specific circumstances including, but not limited to, complexity of exploitation and available mitigations. Citrix recommends that customers apply security fixes/patches as soon as possible following their release.

For the safety of all our customers, Citrix does not disclose any technical details about vulnerabilities beyond those contained within a security bulletin. For any other information, please raise a support request through your normal Citrix support channel. Please include the relevant Citrix security bulletin article number when submitting the request.

Pre-notification of security bulletins

Citrix Security bulletins are published and disclosed to customers and the public simultaneously. However, Citrix provides annadvanced notification of upcoming bulletins to a limited group of customers.

When able to do so, Citrix will notify enrolled customers of an upcoming Security bulletin 1-2 weeks prior to the public release date, to aid them in the planning of update activities. The notification will contain the name of the affected product, affected version (major versions only), criticality of the vulnerability and expected date of release.

Pre-notification of upcoming Citrix Security bulletins is available to customers and partners that meet the following criteria: 

  • Be using customer-managed Citrix products  (i.e., not in Citrix Cloud)
  • Have a Citrix Unified Services customer
  • Have a Citrix user base of 10,000 or more users OR be managing critical infrastructure. Examples of critical infrastructure include: 
    • Cloud platform providers 
    • Service platform provider 
    • Healthcare-based ISVs
    • Financial Services
    • Energy Sector
    • Government Departments
    • Transportation
  • Have NOT been previously disqualified from the pre-disclosure program

Customers wishing to be enrolled to the Pre-notification program should contact their Account Technology Specialiast (ATS) who will apply to join the pre-notification program on their behalf.

Customers must sign and return the Citrix pre-disclosure program non-disclosure agreement; the agreement is valid only upon execution by the Citrix Chief Information Security Officer or Chief Digital Risk Officer.

Citrix would like to thank security researchers who have worked with us to secure Citrix products and services and, when permission is given, will acknowledge a reporter's contribution during the public disclosure of a vulnerability.

Name Company Date Reference
Russell Howe   Feb 2023 CVE-2023-24486
Lockheed Martin Red Team Lockheed Martin Feb 2023 CVE-2023-24484, CVE-2023-24485CVE-2023-24483
Ishita Kunal Sailor   Nov 2022  
Saurabh Ail   Nov 2022  
Jarosław Kamiński Securitum Nov 2022 CVE-2022-27513
Artur Ogloza SIX Oct 2022  
James Kettle PortSwigger Jul 2022 CVE-2022-27509
Florian Hauser Code White Jun 2022 CVE-2022-27511, CVE-2022-27512
Florian Kerber Siemens CERT Jan 2022 CVE-2022-21825
Jedd Casella CyberCX Dec 2021  
Markus Wulftange Code White GmbH Sep 2021 CVE-2021-22941
Wolfgang Ettlinger and Marc Nimmerrichter Certitude Consulting Jul 2021 CVE-2021-22927
Lasse Trolle Borup Improsec A/S Jul 2021 CVE-2021-22928
Patrick van den Born van den Born IT Consultancy Jun 2021 CVE-2021-22914
ChenNan Chaitin Security Research Lab Jun 2021 CVE-2020-8299
Wolfgang Ettlinger and Marc Nimmerrichter Certitude Consulting Jun 2021 CVE-2020-8300
Sai Cheng Syclover Security Team May 2021 CVE-2021-22907
Expand all
2020
Name Company Date Reference
Julien Thomas Protektoid project Dec 2020 CVE-2020-8274, CVE-2020-8275
Michael Garrison State Farm Information Security Nov 2020 CVE-2020-8270
Hannay Al Mohanna F-Secure Nov 2020 CVE-2020-8269
Ariel Tempelhof
 Realmode Labs Nov 2020 CVE-2020-8271, CVE-2020-8272, CVE-2020-8273
Chen Erlich Cymptom Oct-2020 CVE-2020-8257, CVE-2020-8258
Moritz Bechler SySS GmbH Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Knud F-Secure Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Arsenii Pustovit Adversary Emulation team (Royal Bank of Canada) Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Johan Georges Wisearc Advisors, Sweden Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Vasilis Maritsas EY Consulting Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Juan David Ordoñez Noriega RedTeam CSIETE Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Ricardo Iramar Dos Santos N/A Sep 2020 CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Harrison Neal Patch Advisor Sep 2020 CVE-2020-8200
Glyn Wintle Tradecraft Aug 2020 CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, CVE-2020-8212, CVE-2020-8253
Kristian Bremberg Detectify Aug 2020 CVE-2020-8208
Ceri Coburn Pen Test Partners Jul 2020 CVE-2020-8207
Albert Shi Univision Network (Shanghai) Co., Ltd Jul 2020 CVE-2020-8198
Maarten Boone N/A Jul 2020 CVE-2020-8190
Donny Maasland Unauthorized Access Jul 2020 CVE-2020-8191, CVE-2020-8193, CVE-2020-8194, CVE-2020-8195, CVE-2020-8196
Laurent Geyer Akamai Jul 2020 CVE-2020-8197
Albert Shi UVision Jul 2020 CVE-2020-8198
Viktor Dragomiretskyy N/A Jul 2020 CVE-2020-8199
Muris Kurgas Digital14 Jul 2020 CVE-2019-18177
Daniel Jensen N/A Jun 2020 CVE-2020-7473, CVE-2020-8982, CVE-2020-8983
Andrew Hess N/A Jun 2020 CVE-2020-13884, CVE-2020-13885
Danske Bank Red-Team Danske Bank May 2020 CVE-2020-8982, CVE-2020-8983
2019
Name Company Date Reference
Vahagn Vardanyan N/A Aug 2019 CVE-2019-13608
Gianlorenzo Cipparrone Paddy Power Betfair plc Dec 2019 CVE-2019-19781
Miguel Gonzalez Paddy Power Betfair plc Dec 2019 CVE-2019-19781
Marc-André Labonté Desjardins Oct 2019 CVE-2019-18225
Ollie Whitehouse NCC Group May 2019 CVE-2019-11634
Richard Warren NCC Group May 2019 CVE-2019-11634
Martin Hill NCC Group May 2019 CVE-2019-11634
Sergey Gordeychik SD-WAN New Hope Apr 2019 CVE-2019-11550
Denis Kolegov SD-WAN New Hope Apr 2019 CVE-2019-11550
Nikita Oleksov SD-WAN New Hope Apr 2019 CVE-2019-11550
Jonas Danske Bank Apr 2019 CVE-2019-18571
Vasile Revnic N/A Apr 2019 CVE-2019-11345
Mark Du Plessis N/A Mar 2019 CVE-2019-9548
Craig Young Tripwire VERT Jan 2019 CVE-2019-6485
Janis Fliegenschmidt Ruhr-Universität Bochum Jan 2019 CVE-2019-6485
Juraj Somorovsky Ruhr-Universität Bochum Jan 2019 CVE-2019-6485
Nimrod Aviram Tel Aviv University Jan 2019 CVE-2019-6485
Robert Merget Ruhr-Universität Bochum Jan 2019 CVE-2019-6485