CVE-2020-8193
Published: 10 July 2020
Summary
CVE-2020-8193 is a medium-severity Improper Access Control (CWE-284) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-8193 is an improper access control vulnerability, also referenced under CWE-284 and CWE-287, that affects Citrix ADC and Citrix Gateway versions prior to 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18, as well as Citrix SD-WAN WAN-OP versions prior to 11.1.1a, 11.0.3d, and 10.2.7. It permits unauthenticated access to specific URL endpoints on the affected appliances.
Remote unauthenticated attackers can exploit the flaw over the network without credentials or user interaction to read or modify limited data accessible through those endpoints. Public references describe related local file inclusion behavior that can be reached via the same access control weakness, producing a CVSS 6.5 impact focused on confidentiality and integrity.
Citrix advisory CTX276688 and associated patches address the issue by updating the listed product versions to enforce proper access controls on the affected endpoints. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-29070
Vulnerability details
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access policies on URL endpoints, blocking the unauthenticated access that defines this CVE.
Requires identification and authentication prior to granting access, eliminating the unauthenticated entry point exploited by CVE-2020-8193.
Limits privileges to the minimum required, preventing the excessive endpoint access granted to unauthenticated users in this vulnerability.