cbcvebase.
CVE-2020-8271
published 2020-11-16

CVE-2020-8271: Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.08%
95.4th percentile
Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8

Affected

6 ranges
VendorProductVersion rangeFixed in
citrixcitrix_sd-wan
citrixsd-wan
citrixsd-wan>= 10.2.0 < 10.2.810.2.8
citrixsd-wan>= 11.1.0 < 11.1.2b11.1.2b
citrixsd-wan>= 11.2.0 < 11.2.211.2.2
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3a 2f 2f 3f 2f|collector|2f|
  • Exploit traffic uses HTTP POST method targeting a URI containing the byte pattern |3a 2f 2f 3f 2f| followed by 'collector/' — monitor inbound POST requests to SD-WAN Center Management IP/FQDN for this URI pattern.
  • CVE-2020-8271 is a Path Traversal (CWE-23) vulnerability enabling unauthenticated RCE as root; no authentication is required, so any inbound connection to SD-WAN Center's Management IP/FQDN from untrusted sources should be treated as high-risk.
  • Restrict network access to SD-WAN Center's Management IP/FQDN to trusted sources only; the pre-condition for exploitation is solely network reachability.
  • ·Affected versions are Citrix SD-WAN Center 11.2 before 11.2.2, 11.1 before 11.1.2b, and 10.2 before 10.2.8. Versions outside these branches are End of Life and unsupported — they remain vulnerable with no patch available.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.