Cyber Resilience

CVE-2019-12991

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 16 July 2019

Published
16 July 2019
Modified
06 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8081 99.2th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-12991 is a high-severity OS Command Injection (CWE-78) vulnerability in Citrix Netscaler Sd-Wan. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an improper input validation vulnerability tracked as CVE-2019-12991 and CWE-78. The flaw is one of six related issues in the affected releases and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and low required privileges.

An attacker with low-privileged network access can supply crafted input that bypasses validation checks, enabling authentication bypass followed by remote command execution. Successful exploitation grants full control over the appliance, allowing arbitrary command execution with impacts to confidentiality, integrity, and availability.

Citrix advisory CTX251987 and associated Tenable research note that the issues are resolved in SD-WAN 10.2.3 and NetScaler SD-WAN 10.0.8. Public proof-of-concept code demonstrating the authentication bypass and remote command execution path has been published on Packet Storm.

EU & UK References

Vulnerability details

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
netscaler sd-wan
10.0.0 — 10.0.8
citrix
sd-wan
10.2.0 — 10.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the SD-WAN appliance, blocking the crafted data that triggers the CWE-78 command injection and subsequent auth bypass.

prevent

Enforces access-control decisions on every network request, preventing the low-privilege authentication bypass that leads to RCE.

prevent

Requires identification and authentication of organizational users before any privileged actions, mitigating the authentication-bypass path described in the CVE.

References