CVE-2025-4879 Overview
CVE-2025-4879 is a local privilege escalation vulnerability in Citrix Workspace app for Windows. A low-privileged local user can exploit the flaw to obtain SYSTEM privileges on an affected host. The issue is tracked under CWE-269: Improper Privilege Management and affects multiple Long Term Service Release (LTSR) builds of the product, including Citrix Workspace 2402 and its cumulative updates CU1, CU2, and CU3. Citrix has published guidance and fixed builds in the vendor knowledge base article CTX694718.
Critical Impact
A low-privileged local user can escalate to SYSTEM on Windows endpoints running vulnerable Citrix Workspace versions, giving full control of the affected host.
Affected Products
- Citrix Workspace app for Windows (LTSR branch) prior to fixed build
- Citrix Workspace app for Windows 2402 LTSR including CU1, CU2, and CU3
- Citrix Workspace app for Windows (current release) prior to the fixed build referenced in CTX694718
Discovery Timeline
- 2025-06-17 - CVE-2025-4879 published to NVD
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2025-4879
Vulnerability Analysis
CVE-2025-4879 is a local privilege escalation issue in Citrix Workspace app for Windows. The vulnerability is categorized under [CWE-269: Improper Privilege Management], indicating that a privileged component of the product fails to correctly constrain actions performed on behalf of a lower-privileged caller. A locally authenticated user can leverage this gap to execute code or operations in the context of the NT AUTHORITY\SYSTEM account.
The attack surface is local only. Network exploitation is not in scope, and user interaction is not required once the attacker has any interactive or service-level foothold on the workstation. Successful exploitation yields full confidentiality, integrity, and availability impact on the affected endpoint.
Root Cause
Citrix has not published low-level technical detail beyond the advisory in CTX694718. The CWE-269 classification points to an improperly managed privilege boundary in a Citrix Workspace component running as SYSTEM, such as an installer, updater, or auxiliary service. Common patterns for this class of flaw include insecure file or registry ACLs, writable paths used by privileged binaries, or service operations that act on attacker-controlled inputs without validating the calling user's rights.
Attack Vector
Exploitation requires local access and low-privilege credentials on a Windows host where a vulnerable Citrix Workspace build is installed. The attacker abuses a privileged Workspace component to perform an action — for example, file write, process launch, or configuration change — that the underlying privilege model should not permit. The result is code execution under SYSTEM, which can be used to install persistence, disable security tooling, harvest credentials, or move laterally.
No public proof-of-concept exploit, exploit kit entry, or CISA KEV listing is associated with CVE-2025-4879 at the time of writing. Refer to the security advisory for technical details.
Detection Methods for CVE-2025-4879
Indicators of Compromise
- Unexpected child processes of Citrix Workspace services (for example, SelfServicePlugin.exe, Receiver.exe, or update components) spawning cmd.exe, powershell.exe, or other interpreters as SYSTEM.
- New or modified files in directories used by Citrix Workspace where the writable ACL grants access to standard users.
- Creation of new local administrator accounts, scheduled tasks, or services shortly after Citrix Workspace activity on the host.
Detection Strategies
- Hunt for process-lineage anomalies where a Citrix Workspace binary running as SYSTEM launches a non-Citrix process owned by a low-privileged user session.
- Monitor file and registry write events to Citrix Workspace install paths from non-SYSTEM, non-TrustedInstaller security contexts.
- Correlate Windows Security event 4672 (special privileges assigned) with Citrix Workspace process activity initiated from interactive user sessions.
Monitoring Recommendations
- Track installed Citrix Workspace versions across the fleet and flag any host still running 2402 LTSR (CU1, CU2, CU3) or other unpatched builds listed in CTX694718.
- Alert on service or scheduled task creation events (4697, 4698) immediately following Citrix Workspace process activity.
- Forward endpoint process, file, and registry telemetry to a central data lake to enable retrospective hunts once additional indicators are published.
How to Mitigate CVE-2025-4879
Immediate Actions Required
- Inventory all Windows endpoints with Citrix Workspace app installed and identify versions matching the vulnerable CPE ranges, including 2402 LTSR CU1, CU2, and CU3.
- Upgrade affected hosts to the fixed Citrix Workspace build identified in CTX694718.
- Restrict interactive logon and local account usage on systems that cannot be patched immediately, since exploitation requires local low-privileged access.
Patch Information
Citrix has published fixed builds and remediation guidance in the knowledge base article CTX694718. Apply the vendor-supplied update for both the current release and the LTSR 2402 branch. No supported workaround replaces the patch; upgrading is the authoritative fix.
Workarounds
- Limit which users can sign in interactively to systems running Citrix Workspace, reducing the population of accounts able to attempt local exploitation.
- Enforce application control to prevent execution of unauthorized binaries from user-writable directories used by standard accounts.
- Audit ACLs on Citrix Workspace installation directories and remove any non-default write permissions granted to standard users.
# Identify installed Citrix Workspace version on a Windows host (PowerShell)
Get-ItemProperty `
'HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -like 'Citrix Workspace*' } |
Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
