cbcvebase.
CVE-2019-10883
published 2019-06-03

CVE-2019-10883: Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7 allow Command Injection.

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
65.49%
99.2th percentile
Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7 allow Command Injection.

Affected

8 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixcitrix_sd-wan_center10.1.0 – 10.1.2
citrixcitrix_sd-wan_center>= 10.2.0 < 10.2.110.2.1
citrixnetscaler_adc_gateway
citrixnetscaler_sd-wan_center>= 10.0.0 < 10.0.710.0.7
citrixnetscaler_sd-wan_center9.1 – 9.3.6
citrixsd-wan
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

path/home/talariuser/www/app/Controller/UsersController.php
urlhttps://[target_host]/login
commandcurl -skv --tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' ' https://[target_host]/login '
  • Monitor HTTP POST requests to /login endpoint containing backtick-encoded command injection payloads in the username field (URL-encoded backticks: %60) targeting Citrix SD-WAN Center management console.
  • Alert on POST body parameters containing `_method=POST` combined with URL-encoded backtick characters (%60) in `data[User][username]`, indicative of OS command injection attempts against UsersController.php.
  • The vulnerability is exploitable by unauthenticated attackers; detect unauthenticated POST requests to the SD-WAN Center management console /login path with anomalous username field content.
  • Restrict and monitor access to the SD-WAN Center management console; unexpected access from untrusted networks should be alerted on.
  • ·Vulnerability affects Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7 only; patched versions are not vulnerable.
  • ·The injection point is specifically the $username parameter in UsersController.php; detection rules should target this specific parameter and controller path.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.