CVE-2020-8271
published 2020-11-16CVE-2020-8271: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.08%
95.4th percentile
Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_sd-wan | — | — |
| citrix | sd-wan | — | — |
| citrix | sd-wan | >= 10.2.0 < 10.2.8 | 10.2.8 |
| citrix | sd-wan | >= 11.1.0 < 11.1.2b | 11.1.2b |
| citrix | sd-wan | >= 11.2.0 < 11.2.2 | 11.2.2 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3a 2f 2f 3f 2f|collector|2f|
- →Exploit traffic uses HTTP POST method targeting a URI containing the byte pattern |3a 2f 2f 3f 2f| followed by 'collector/' — monitor inbound POST requests to SD-WAN Center Management IP/FQDN for this URI pattern.
- →CVE-2020-8271 is a Path Traversal (CWE-23) vulnerability enabling unauthenticated RCE as root; no authentication is required, so any inbound connection to SD-WAN Center's Management IP/FQDN from untrusted sources should be treated as high-risk. ↗
- →Restrict network access to SD-WAN Center's Management IP/FQDN to trusted sources only; the pre-condition for exploitation is solely network reachability. ↗
- ·Affected versions are Citrix SD-WAN Center 11.2 before 11.2.2, 11.1 before 11.1.2b, and 10.2 before 10.2.8. Versions outside these branches are End of Life and unsupported — they remain vulnerable with no patch available. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmcj-6965-gm4j: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11
ghsa_unreviewed·2022-05-24
CVE-2020-8271 [CRITICAL] CWE-22 GHSA-wmcj-6965-gm4j: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11
Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
Citrix
CVE-2020-8271: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
vendor_citrix·2020-11-16·CVSS 9.8
CVE-2020-8271 [CRITICAL] CWE-23 CVE-2020-8271: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
CVE-2020-8271: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
Citrix
Citrix SDWAN Center Security Update
vendor_citrix·CVSS 9.8
CVE-2020-8271 [CRITICAL] CWE-23 Citrix SDWAN Center Security Update
Citrix SDWAN Center Security Update
of Problem Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. These vulnerabilities have the following identifiers: CVE Description Vulnerability Type Pre-conditions CVE-2020-8271 Unauthenticated remote code execution with root privileges CWE-23: Path Traversal An attacker must be able to communicate with SD-WAN Center's Management IP/FQDN CVE-2020-8272 Authentication Bypass resulting in exposure of SD-WAN functionality CWE-287: Improper Authentication An attacker must be able to communicate with SD-WAN Center's Management IP/FQDN CVE-2020-8273 Privilege escalation of an authenticated user to ro
Suricata
ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)
suricata·2022-02-03·CVSS 9.8
CVE-2020-8271 [CRITICAL] ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)
ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
No public exploits indexed.
No writeups or analysis indexed.
2020-11-16
Published