Citrix Warns of Privilege Escalation Vulnerability in Windows Virtual Delivery Agent (CVE-2025-6759)

Citrix has issued a security advisory concerning a newly identified local privilege escalation vulnerability affecting its Windows Virtual Delivery Agent (VDA), which is a core component of Citrix Virtual Apps and Desktops (CVAD) and Citrix DaaS environments.

The vulnerability, tracked as CVE-2025-6759 (CVSSv4 7.3), could allow a low-privileged user to gain SYSTEM privileges on affected systems. Although exploitation requires local access, the implications are serious, especially in enterprise environments where VDA is widely deployed across virtual desktop infrastructure (VDI).

The flaw specifically impacts the single-session OS configurations of the Windows VDA in the following versions:

• Citrix Virtual Apps and Desktops versions before 2503
• Citrix Virtual Apps and Desktops 2402 LTSR CU2 and earlier

This vulnerability allows a low-privileged user to escalate their privileges to SYSTEM, the highest privilege level in Windows. In a compromised environment, this could allow an attacker to disable defenses, install persistent malware, or harvest credentials.

Citrix is urging customers to immediately upgrade to patched versions of the VDA. The company notes:

“Citrix strongly recommends that customers upgrade their Windows Virtual Delivery Agent for single-session OS to versions that contain the fixes as soon as possible.”

Updated Versions with Fixes:

• CR: Upgrade to Citrix Virtual Apps and Desktops 2503 or later
• LTSR:
  • 2402 CU1 users should install Update 1: CTX694848
  • 2402 CU2 users should install Update 1: CTX694849

For organizations unable to apply patches immediately, Citrix has provided a registry-level workaround:

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxExceptionHandler]

"Enabled"=dword:00000000

“While applying the recommended hotfixes is the preferred solution, customers who are unable to upgrade immediately can apply the following registry change as a temporary workaround,” the advisory adds.

Related Posts:

• Critical Vulnerabilities in Citrix Virtual Apps and Desktops Actively Exploited
• Mandiant Exposes Ongoing Exploits Against Citrix Users
• Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
• Cloud Software Group Confirms CVE-2024-6387 Exposure in NetScaler
• Urgent Citrix NetScaler Alert: Critical Memory Overflow Flaw (CVE-2025-6543, CVSS 9.2) Actively Exploited

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy