A vulnerability has been identified in Citrix Virtual Apps and Desktops that could potentially allow a Windows VDA user to escalate their privilege level on that VDA to SYSTEM (CVE-2021-22928).
The vulnerability only applies to VDAs that have either Citrix Profile Management or the Citrix Profile management WMI plug-in installed. Note that in environments where FSLogix is used for profile management, the VDA typically still has Citrix Profile Management and the Citrix Profile Management WMI plug-in installed as these components are necessary to drive some statistics in Director (e.g. logon duration).
- Citrix Virtual Apps and Desktops 2106 and earlier
- Citrix Virtual Apps and Desktops 1912 LTSR CU3 and earlier
- Citrix Virtual Apps and Desktops 7.15 LTSR CU7 and earlier
Citrix recommends applying the applicable hotfix to affected VDAs as soon as possible.
- Citrix Virtual Apps and Desktops 2106
- Citrix Virtual Apps and Desktops 1912 LTSR
- Citrix XenApp / XenDesktop 7.15 LTSR