## A Path Traversal That Hit 80,000 Companies In December 2019, a path traversal vulnerability was disclosed in Citrix Application Delivery Controller (ADC) and Citrix Gateway — products used by roughly 80,000 organisations worldwide including banks, hospitals, and government agencies. The vulnerability: an unauthenticated attacker could send a crafted URL like: `/vpn/../vpns/cfg/smb.conf` The `../` sequences navigated out of the intended web directory into the application config. From there, attackers could read credentials, session tokens, and configuration files — and chain the vulnerability into remote code execution. Exploitation started within 24 hours of the PoC being published. Ransomware groups and nation-state actors used it to compromise targets before patches were applied. The UK's NCSC reported widespread exploitation. --- ### Why Path Traversal Happens Developers build file viewers, document exporters, image loaders, and log viewers. The feature works like: ``` Read file: /var/app/docs/ + [user input] ``` The intent is that the user picks a filename like `readme.txt`. But if the input is `../../etc/passwd`, the resulting path is: ``` /var/app/docs/../../etc/passwd → /etc/passwd ``` The `../` sequences walk up the directory tree. Without sanitisation, any file the web server can read becomes accessible.