← Main disclosure Disclosure rationale Advisories

Citrix and security researchers - a public record

Documented incidents from public sources · Analytical summaries by the researcher

This page collects publicly documented incidents involving Citrix / Cloud Software Group and security researchers. Every entry cites the original public source. Analytical observations are the researcher's own, based on the cited material. No private communications or anonymous sources are referenced.

2019: CVE-2019-19781 (original "Shitrix")

What happened

A directory traversal vulnerability in Citrix ADC and Gateway allowed unauthenticated remote code execution. CVSS 9.8 Critical.

Timeline

2019-12-17: Citrix published advisory CTX267027. No patch available. Mitigation guidance only.
2020-01-10: Public PoC code released. Exploitation began immediately.
2020-01-19: Citrix began releasing patches - 33 days after disclosure, 9 days after public PoCs.
2020-01-24: Patches available for all affected builds.

The gap

33 days between advisory and first patch. During this window, exploitation was active and the only defence was a mitigation workaround. CISA issued Alert AA20-031A with detection guidance.

The vulnerability was colloquially named "Shitrix" by the security community.

Sources: Citrix blog, NVD, CISA AA20-031A

2023: CVE-2023-3519 (NetScaler zero-day, CVSS 9.8)

What happened

An unauthenticated RCE vulnerability in NetScaler ADC and Gateway via stack buffer overflow. Exploited as a zero-day against critical infrastructure before Citrix was aware.

Timeline

2023-06 (approx): Threat actors exploited CVE-2023-3519 as a zero-day to implant webshells on a critical infrastructure organisation's NetScaler appliance.
2023-07-18: Citrix released patch.
2023-07-19: CISA added CVE-2023-3519 to the Known Exploited Vulnerabilities catalog.
2023-07-20: CISA published advisory AA23-201A detailing the critical infrastructure compromise.

Sources: Citrix bulletin CTX561482, CISA AA23-201A

2023: CVE-2023-4966 (CitrixBleed, CVSS 9.4)

What happened

A buffer over-read vulnerability in NetScaler ADC and Gateway that leaked session tokens, enabling session hijacking and MFA bypass. Exploited by LockBit 3.0 and AlphV/BlackCat ransomware groups.

Timeline

2023-10-10: Citrix published patch and advisory. Stated the vulnerability was found internally and they were unaware of exploitation.
2023-10-17: Citrix updated advisory to disclose active exploitation in the wild.
2023-10-18: CISA added CVE-2023-4966 to KEV catalog.
2023-10-25: Assetnote published PoC and coined the name "CitrixBleed."
2023-11-07: CISA released dedicated guidance because Citrix's own remediation guidance was insufficient.
2023-11-21: Joint advisory from CISA, FBI, MS-ISAC, and ASD's ACSC on LockBit 3.0 exploitation of CitrixBleed.

The gap

Mandiant later determined that exploitation of CVE-2023-4966 was the initial access vector for intrusions predating Citrix's patch release. CISA had to issue supplementary guidance because the vendor's own instructions did not adequately address session persistence after patching.

Sources: CISA AA23-325A, Cybersecurity Dive, Unit 42 threat brief

2024: CVE-2024-8068/8069 (severity dispute with watchTowr)

What happened

watchTowr disclosed vulnerabilities in Citrix Session Recording that they characterized as unauthenticated remote code execution. Citrix rated both CVEs as Medium (CVSS 5.1).

The dispute

watchTowr stated the vulnerabilities could be exploited without authentication. Cloud Software Group stated that an attacker must be authenticated. The assigned CVSS score reflects Citrix's assessment. As their own CNA, Citrix's severity rating is authoritative within the CVE system.

The incident was covered by Cybersecurity Dive, The Register, and Dark Reading.

Sources: watchTowr disclosure, Citrix bulletin CTX691941, Cybersecurity Dive

2025: CVE-2025-5777 (CitrixBleed 2, CVSS 9.3)

What happened

An out-of-bounds read vulnerability in NetScaler ADC and Gateway - the same class of memory-safety vulnerability as the original CitrixBleed (CVE-2023-4966), discovered two years later. Pre-authentication, allows leaking session tokens and credentials from device memory.

Timeline

2025-06-17: Citrix published advisory.
2025-07-10: CISA added CVE-2025-5777 to KEV catalog, confirming active exploitation.

The pattern

CitrixBleed (2023) and CitrixBleed 2 (2025) are the same vulnerability class - memory over-read from insufficient input validation - in the same product line, two years apart. The root cause identified in the first incident was not addressed systemically. watchTowr's disclosure was titled "How Much More Must We Bleed?"

Sources: Citrix advisory CTX693420, watchTowr disclosure, Infosecurity Magazine

Structural factors

CNA status

Cloud Software Group is a MITRE-authorized CNA for its own products. They assign their own CVE IDs and CVSS scores. A researcher who disagrees with the vendor's severity assessment has no recourse within the CVE system.

Source: Cloud Software Group vulnerability response policy

Bug bounty scope

Cloud Software Group's HackerOne program explicitly excludes XenServer. The program scope covers Cloud/SaaS products only. The policy states: "coordinated disclosure reports do NOT qualify for bounty."

Source: HackerOne - Cloud Software Group program scope

Secure by Design pledge

In May 2024, Cloud Software Group signed CISA's Secure by Design pledge, committing to reduce entire classes of vulnerability across their products within one year.

Source: CISA Secure by Design pledge signatories

Summary table

Year	CVE	Class	CVSS	Notable
2019	CVE-2019-19781	Directory traversal / RCE	9.8	33 days to first patch; active exploitation during gap
2023	CVE-2023-3519	Stack buffer overflow / RCE	9.8	Zero-day against critical infrastructure
2023	CVE-2023-4966	Buffer over-read / session leak	9.4	CISA supplementary guidance; LockBit exploitation
2024	CVE-2024-8068/8069	RCE (disputed auth requirements)	5.1 (vendor)	Public severity dispute with watchTowr
2025	CVE-2025-5777	Buffer over-read / session leak	9.3	Same class as CitrixBleed, two years later

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · shittrix.moksha.dk