Only XenServer 7.0 deployments that have been upgraded from earlier releases are affected. Earlier releases are unaffected, nor are new deployments of XenServer 7.0.
Only deployments where Active Directory has been continuously enabled from before the upgrade to XenServer 7.0 are affected. If Active Directory was disabled at the time of upgrade or has been disabled since, even if only briefly, the deployment is unaffected.
To exploit the vulnerability, an attacker requires access to the management network of the host XenServer. Citrix recommends that the XenServer management network is an isolated network.