cbcvebase.
CVE-2019-11634
published 2019-05-22

CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
8.09%
94.1th percentile
Citrix Workspace App before 1904 for Windows has Incorrect Access Control.

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_workspace
citrixcitrix_workspace_app
citrixreceiver
citrixworkspace< 19041904
citrixworkspace
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

hash8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
hashb8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
hash3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
hash7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377
hashb227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
hash3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
hash353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
hash5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
hash52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
hash35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
hash7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
hash08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
hashd4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
hashfcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
  • Nefilim ransomware exploits CVE-2019-11634 (Citrix Workspace App / Receiver for Windows incorrect access control) for initial access via Citrix gateway devices; hunt for exploitation of unpatched Citrix remote-access endpoints.
  • CVE-2019-11634 root cause: local drive access preferences not enforced, granting attacker read/write to client local drives enabling code execution; monitor for unexpected drive mapping or file writes via Citrix session.
  • Detect Nefilim lateral movement via PsExec with the service rename flag '-r mstdc' and '-accepteula -nobanner' flags; alert on psexec.exe invocations matching this pattern.
  • Detect UAC bypass via registry modification: monitor for reg add to HKLM\software\Microsoft\Windows\CurrentVersion\Policies\System setting EnableLUA to 0 via remote PsExec.
  • Detect Nefilim data exfiltration stage: monitor for MegaSync installation and 7zip binary drops followed by large outbound transfers.
  • Detect Nefilim self-deletion: alert on cmd.exe spawning 'timeout /t 3 /nobreak' followed by 'del ... /s /f /q' targeting an executable in user download paths.
  • ·CVE-2019-11634 affects Citrix Workspace app for Windows prior to version 1904 AND Receiver for Windows LTSR 4.9 CU6 versions earlier than 4.9.6001 only; no other platforms are affected.
  • ·Applying the security patch may break Single Sign-on (SSO) for browsers other than Internet Explorer unless explicitly reconfigured post-fix.
  • ·CVE-2019-11634 is listed in CISA KEV with known ransomware campaign use (Nefilim); remediation was due by 2022-05-03 per CISA directive.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.