Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2025-6759
Description of Problem
A vulnerability has been identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS.
Affected Versions
The vulnerability affects the following supported versions of Windows Virtual Delivery Agent for single-session OS:
Current Release (CR)
- Citrix Virtual Apps and Desktops versions before 2503
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 2402 LTSR CU2 and earlier versions of 2402 LTSR
Note: Citrix Virtual Apps and Desktops 2203 LTSR is not affected by this vulnerability.
Summary
| CVE ID | Description | Pre-conditions | CWE | CVSSv4 |
| CVE-2025-6759 | Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges | Local access to the target system | CWE-269: Improper Privilege Management | CVSS v4.0 Base Score: 6.9 (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) |
What Customers Should Do
Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent for single-session OS to versions that contain the fixes as soon as possible.
Windows Virtual Delivery Agent versions that contain the fixes are:
Current Release (CR)
- Citrix Virtual Apps and Desktops 2503 and later versions
The following Updates have been released to address the issues in Citrix Virtual Apps and Desktops 2402 LTSR CU1 and CU2. Customers should ensure they have installed the corresponding cumulative update and then install any applicable updates:
Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 2402 LTSR CU1 Update 1 – https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694848
- Citrix Virtual Apps and Desktops 2402 LTSR CU2 Update 1 – https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694849 and later cumulative
Workarounds/ Mitigating Factors
While applying the recommended hotfixes is the preferred solution, customers who are unable to upgrade immediately can apply the following registry change as a temporary workaround on affected systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxExceptionHandler]
“Enabled”=dword:00000000
Note: Customers may leverage Citrix Workspace Environment Management to deploy the above registry key. More details can be found here: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-description/actions/group-policy-settings.html
More Information
For assistance from the Kraft Kennedy team, please contact us.