Cyber Resilience

CVE-2020-8193

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 July 2020

Published
10 July 2020
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.9439 100.0th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8193 is a medium-severity Improper Access Control (CWE-284) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2020-8193 is an improper access control vulnerability, also referenced under CWE-284 and CWE-287, that affects Citrix ADC and Citrix Gateway versions prior to 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18, as well as Citrix SD-WAN WAN-OP versions prior to 11.1.1a, 11.0.3d, and 10.2.7. It permits unauthenticated access to specific URL endpoints on the affected appliances.

Remote unauthenticated attackers can exploit the flaw over the network without credentials or user interaction to read or modify limited data accessible through those endpoints. Public references describe related local file inclusion behavior that can be reached via the same access control weakness, producing a CVSS 6.5 impact focused on confidentiality and integrity.

Citrix advisory CTX276688 and associated patches address the issue by updating the listed product versions to enforce proper access controls on the affected endpoints. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
application delivery controller firmware
10.5 — 10.5-70.18 · 11.1 — 11.1-64.14 · 12.0 — 12.0-63.21
citrix
netscaler gateway firmware
10.5 — 10.5-70.18 · 11.1 — 11.1-64.14 · 12.0 — 12.0-63.21
citrix
gateway firmware
13.0 — 13.0-58.30
citrix
sd-wan wanop
10.2 — 10.2.7 · 11.0 — 11.0.3d · 11.1 — 11.1.1a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access policies on URL endpoints, blocking the unauthenticated access that defines this CVE.

prevent

Requires identification and authentication prior to granting access, eliminating the unauthenticated entry point exploited by CVE-2020-8193.

prevent

Limits privileges to the minimum required, preventing the excessive endpoint access granted to unauthenticated users in this vulnerability.

References