A security vulnerability has been found in the Citrix Virtual Delivery Agent (VDA) for Windows that has the potential to allow a low-privileged user to gain SYSTEM privileges. This vulnerability has been named CVE-2025-6759 and has a CVSS v4 base score of 7.3 making it a ‘high severity’.
The following supported versions of the Citrix VDA are affected by this vulnerability:
- Current Release (CR) versions prior to 2503
- 2402 LTSR (all versions)
The 2203 LTSR versions of the VDA are not affected by this vulnerability.
What To Do
Since this vulnerability impacts the agent running within the machines that host user sessions, it is necessary to either update the machine images or apply updates to all persistent machines.
As a temporary workaround, customers using a vulnerable version of the VDA are recommended to apply the following registry key until the fix can be put into place:
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxExceptionHandler]
"Enabled"=dword:00000000
After applying the registry key, the VDA must be restarted. Therefore, it must be incorporated into the master image of non-persistent machines.
To fully mitigate the vulnerability, customers should perform one of the following:
- Customers using a CR version should upgrade to Citrix Virtual Apps and Desktops 2503
- Customers using 2402 LTSR (without any cumulative updates) should upgrade to 2402 CU2 and apply the relevant fix
- Customers using 2402 LTSR CU2 should apply 2402 LTSR CU2 Update 1 as described in the following article:
- Customers using 2402 LTSR CU1 should apply 2402 LTSRCU1 Update 1 as described in the following article:
Next Steps
Customers are strongly encouraged to perform the required updates as soon as possible. Please reach out if you would like Helient Technologies’ highly experienced engineers to assist with the planning or deployment of these fixes.