Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Delivering Peace of Mind About New Citrix Emerging Threat

Large magnifying glass next to a tiny person


The cyber threat intel feeds are on fire with multiple high-profile vulnerabilities affecting widely deployed networking devices, and security teams are scrambling with task saturation. “What is the biggest risk? Where are we exposed?” The Continuous Attack Surface Testing (CAST) Team at Bishop Fox has been following these stories as they unfold—researching the vulnerabilities, crafting exploits, and most importantly, notifying our clients on their potential exposures.

In this group of vulnerabilities, CITRIX announced 11 CVEs that impact their ADC, Gateway, and SDWAN WANOP products. We quickly identified the highest severity threat, an authentication bypass (CVE-2020-8193). At first, it appears to be a high-risk vulnerability, affecting many organizations, but upon further investigation, our CAST team discovered that an attacker must have access to the NetScaler IP (NSIP) management interface. The NSIP service should never be exposed externally unless there is a misconfiguration issue. Although we ran an on-demand scan to confirm, we knew from our continuous attack surface testing that our clients do not have any publicly exposed NSIP interfaces. If they did, we would have already flagged the issue and helped clients re-configure their application. As a result, we were able to de-escalate the risk for our CAST clients, giving them immediate peace of mind that they weren't at risk from the Citrix vulnerability (CVE-2020-8193).


In addition to immediately notifying our clients via chat channels, we provided customized reports to each client with an assessment of their exposure, recommendations, and instructions on how to apply the necessary mitigations and patches. With the CAST service, we were quickly able to deliver some peace of mind for our clients about the emerging threat they were hearing about online. Then we went straight back to proactively protect our clients by discovering and analyzing the next panic-inducing CVEs dominating infosec twitter. For those CAST clients that are following the same conversations online, they know they can always flag us instantly in chat to ask us to dig into the latest bug making waves to see if they’re affected and, if so, how to remediate the issue.

Earlier this year, a related, but high-severity Citrix vulnerability hit the news and our CAST team was able to give clients a full month (30 days) to remediate the threat prior to the official release of the patch. Read more about that story here:

References:, CVE author’s writeup and Proof of Concept (POC), Citrix Advisory

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Barrett darnell

About the author, Barrett Darnell

Bishop Fox Alumnus

Barrett Darnell was a Senior Operator at Bishop Fox and a technical lead for the Continuous Attack Surface Testing (COSMOS) Managed Security Service. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Barrett led an offensive operations team in the US Air Force's premier selectively-manned cyber attack squadron. Barrett also teaches SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking to a worldwide audience. Barrett holds a Bachelor of Science in Computer Science from Washington State University and a Master of Science in Software Engineering from the University of West Florida.

More by Barrett

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.