Cyber Resilience

CVE-2017-6316

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 20 July 2017

Published
20 July 2017
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8790 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-6316 is a critical-severity an unspecified weakness vulnerability in Citrix Netscaler Sd-Wan. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Citrix NetScaler SD-WAN appliances through version 9.1.2.26.561201 contain a remote command execution flaw that permits unauthenticated attackers to run arbitrary shell commands as root by supplying a crafted CGISESSID cookie; the same issue previously affected CloudBridge devices under the cookie name CAKEPHP. The vulnerability received a CVSS v3 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access to the management interface can therefore achieve full system compromise simply by sending a malicious cookie value, bypassing all authentication controls and obtaining a root shell on the device.

Citrix addressed the issue in security bulletin CTX225990, while public exploit code has been published on Exploit-DB. The flaw affects the web management component and requires no special configuration beyond the default cookie handling present in the listed firmware versions.

EU & UK References

Vulnerability details

Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
netscaler sd-wan
≤ 9.1.2.26.561201

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the management interface before any cookie-derived session can execute root-level commands.

prevent

Requires non-bypassable identification and authentication for all organizational users accessing the SD-WAN web management component.

prevent

Mandates validation of the CGISESSID (or CAKEPHP) cookie value to reject malformed content that would otherwise result in arbitrary shell command execution.

References