cbcvebase.
CVE-2020-8270
published 2020-11-16

CVE-2020-8270: An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
3.34%
87.1th percentile
An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872, 7.15 LTSR CU6 hotfix CTX285341 and CTX285342

Affected

7 ranges
VendorProductVersion rangeFixed in
citrixcitrix_virtual_apps_and_desktops
citrixcitrix_xenapp
citrixvirtual_apps_and_desktops<= 2006
citrixvirtual_apps_and_desktops1903 – 1912
citrixxenapp
citrixxendesktop
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-8270 is exploitable when Citrix App-V Service is installed on the VDA; detection should focus on unexpected SYSTEM-level process spawning from the App-V service process on Windows VDAs
  • Monitor for OS command injection attempts (CWE-78) originating from the Citrix App-V Service on VDAs, particularly commands executing as SYSTEM from non-privileged user sessions
  • Alert on SMB-authenticated remote connections to Windows VDAs that subsequently trigger SYSTEM-level command execution, as SMB users can exploit this remotely when App-V Service and Windows file sharing are both enabled
  • ·CVE-2020-8270 only affects VDAs where Citrix App-V Service is installed; VDAs without App-V Service are not vulnerable to this specific CVE
  • ·Citrix XenApp/XenDesktop 7.6 LTSR is explicitly NOT affected by CVE-2020-8270, only by the other CVEs in this advisory
  • ·Affected versions include Citrix Virtual Apps and Desktops 2006 and earlier, 1912 LTSR CU1 and earlier, and XenApp/XenDesktop 7.15 LTSR CU6 and earlier; fixed in CVAD 2009+, 1912 LTSR CU1 hotfixes CTX285871/CTX285872, and 7.15 LTSR CU6 hotfixes CTX285341/CTX285342

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.