⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2017-6316Improper Input Validation in Citrix Netscaler Sd-wan

CWE-20Improper Input Validation14 documents9 sources
Severity
9.8CRITICALNVD
EPSS
87.8%
top 0.52%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
10
Citrix Netscaler Sd-wanCitrix ADMCitrix Hypervisor+7 more
Timeline
PublishedJul 20
KEV addedMar 25
KEV dueApr 15
Latest updateMay 17
CISA Required Action: Apply updates per vendor instructions.

Description

Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

NVDcitrix/netscaler_sd-wan9.1.2.26.561201
citrixcitrix/sd-wan

🔴Vulnerability Details

2
GHSA
GHSA-9f8x-323m-6vw4: Citrix NetScaler SD-WAN devices through v92022-05-17
VulnCheck
Citrix Multiple Products Remote Code Execution Vulnerability2017

💥Exploits & PoCs

2
Exploit-DB
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection2017-07-19
Exploit-DB
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)2017-07-19

🔍Detection Rules

2
Suricata
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)2019-12-16
Suricata
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)2019-12-16

📋Vendor Advisories

3
CISA
Citrix Multiple Products Remote Code Execution Vulnerability2022-03-25
Citrix
CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On2017-07-20
Citrix
Citrix Security Bulletin CTX225990

🕵️Threat Intelligence

4
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities2019-12-13
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities2019-12-13
Tenable
Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered2019-04-11
Tenable
Citrix SD-WAN Center and NetScaler SD-WAN Center Unauthenticated Remote Command Injection2019-04-10