CVE-2014-7140
published 2014-10-21CVE-2014-7140: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
16.19%
96.5th percentile
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xa5a50000
bytes↗
\x00\x00\xa5\xa5
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploit check: HTTP GET to /soap returning HTTP 200 with body matching 'Server Request Handler.*No body received' indicates a vulnerable/exposed SOAP endpoint. ↗
- →Exploit sends a POST request to /soap containing a malicious SOAP body that references an attacker-controlled host and port (default 3010) as a NetScaler config server. Monitor for outbound connections from the NetScaler management interface to unexpected external hosts on port 3010. ↗
- →The malicious config server response begins with a 2-byte little-endian length field followed by the magic bytes 0x00 0x00 0xa5 0xa5. Detect this binary protocol pattern on port 3010 in network traffic. ↗
- →The exploit targets the SOAP handler in the NetScaler web management interface (apache2 process). Exploitation results in arbitrary code execution with web server privileges on BSD platform (x86). Monitor apache2 child processes for anomalous child spawning or shell execution. ↗
- →The stack pivot prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff — 'add esp, -3500') will appear at the start of shellcode in memory or network payload. Use this as a memory/network signature. ↗
- ·The exploit targets NetScaler Virtual Appliance version 450010 specifically, using hardcoded memory addresses. The RwPtr (apache2 rw address) is fixed at 0x80b9000, valid only because the virtual appliance lacks ASLR/DEP. Physical appliances or other versions will have different addresses. ↗
- ·The exploit includes a bruteforce mode for the return address, sweeping from 0xffffec00 (bottom of stack) to 0xfffdf000 (top of stack) in steps of 256 bytes. This bruteforce is only viable because the target is an apache child process without ASLR. ↗
- ·Affected versions are NetScaler ADC and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10. Versions outside this range are not confirmed vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
CVE-2014-7140: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1
vendor_citrix·2014-10-21·CVSS 7.5
CVE-2014-7140 [HIGH] CVE-2014-7140: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1
CVE-2014-7140: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors.
Citrix
Citrix Security Bulletin CTX200206
vendor_citrix·CVSS 7.5
CVE-2014-7140 [HIGH] Citrix Security Bulletin CTX200206
Citrix Security Bulletin CTX200206
CVE References: CVE-2014-7140, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-62mp-vmwr-c2jw: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10
ghsa_unreviewed·2022-05-17
CVE-2014-7140 [HIGH] GHSA-62mp-vmwr-c2jw: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors.
No detection rules found.
No writeups or analysis indexed.
2014-10-21
Published