cbcvebase.
CVE-2020-8269
published 2020-11-16

CVE-2020-8269: An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
2.57%
83.2th percentile
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9

Affected

15 ranges
VendorProductVersion rangeFixed in
citrixcitrix_virtual_apps_and_desktops
citrixcitrix_xenapp
citrixvirtual_apps_and_desktops<= 2006
citrixvirtual_apps_and_desktops1903 – 1912
citrixxenapp< 7.67.6
citrixxenapp
citrixxenapp
citrixxenapp
citrixxenapp>= 7.7 < 7.157.15
citrixxendesktop< 7.67.6
citrixxendesktop
citrixxendesktop
citrixxendesktop
citrixxendesktop>= 7.7 < 7.157.15
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • Target privilege escalation vector: attacker must have write access to the C:\ root directory on a multi-session Windows VDA to escalate to SYSTEM
  • Exploitation results in arbitrary command execution as SYSTEM from an unprivileged/authenticated Windows user on a multi-session VDA — monitor for SYSTEM-level process creation spawned from low-privileged user sessions on Citrix VDAs
  • Vulnerability class is CWE-269 (Improper Privilege Management) on multi-session VDA; look for unexpected SYSTEM-context processes or services launched from authenticated user sessions on Citrix Virtual Apps and Desktops multi-session VDAs
  • ·Exploitation requires the attacker to be an authenticated user who has been granted write access to the C:\ root directory; environments where C:\ write access is restricted to privileged users are less exposed
  • ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, XenApp/XenDesktop 7.15 LTSR CU6 and earlier, and 7.6 LTSR CU8 and earlier; patched versions are 2009+, 1912 LTSR CU1 with hotfixes CTX285870/CTX286120, 7.15 LTSR CU6 with hotfix CTX285344, and 7.6 LTSR CU9
  • ·CVE-2020-8269 specifically affects multi-session Windows VDAs only; single-session VDAs are not mentioned as in scope for this CVE

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.