by Daniel Ruiz
Senior Solutions Architect
On November 10th 2020, Citrix announced new Citrix Virtual Apps and Desktop (CVAD) Security Vulnerabilities. Customers should ensure they have installed the latest cumulative update and then apply all hotfixes for that version.
Affected CVAD versions:
This issue is only exploitable if low-privilege users have been granted permission to write files to the C:\ directory. This permission is not default in Windows and Citrix recommends that users are only granted the permissions they require.
A remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows Virtual Desktop. If authentication is required for SMB then an attacker must also be able to authenticate in order to remotely compromise the Virtual Desktop.
Hotfixes for 1912 LTSR and 7.15 LTSR :
The issues have been addressed in the following versions:
Citrix Virtual Apps and Desktops 1912 CU1:
Citrix XenApp / XenDesktop 7.15 CU6:
If you would like more information or assistance from our industry-leading team of Citrix experts to plan and execute the upgrade, please contact us at firstname.lastname@example.org.