Cyber Resilience

CVE-2020-8196

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 July 2020

Published
10 July 2020
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.6811 98.6th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8196 is a medium-severity Improper Access Control (CWE-284) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2020-8196 is an improper access control vulnerability, also referenced under CWE-284 and CWE-287, that affects Citrix ADC and Citrix Gateway versions prior to 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18, as well as Citrix SD-WAN WAN-OP versions prior to 11.1.1a, 11.0.3d, and 10.2.7. The flaw permits limited information disclosure and carries a CVSS 3.1 base score of 4.3 reflecting network attack vector, low complexity, and low privileges required.

Low-privileged authenticated users can exploit the issue over the network to obtain restricted information that should otherwise be inaccessible, as demonstrated by public proof-of-concept material describing local file inclusion behavior in the affected appliances.

Citrix advisory CTX276688 addresses the affected products and provides updated builds that resolve the access control weakness; organizations are advised to apply the listed version upgrades. The vulnerability is also catalogued by CISA among actively exploited issues, indicating confirmed real-world targeting of unpatched Citrix deployments.

EU & UK References

Vulnerability details

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
application delivery controller firmware
10.5 — 10.5-70.18 · 11.1 — 11.1-64.14 · 12.0 — 12.0-63.21
citrix
netscaler gateway firmware
10.5 — 10.5-70.18 · 11.1 — 11.1-64.14 · 12.0 — 12.0-63.21
citrix
gateway firmware
13.0 — 13.0-58.30
citrix
sd-wan wanop
10.2 — 10.2.7 · 11.0 — 11.0.3d · 11.1 — 11.1.1a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access control policies to block low-privileged users from obtaining restricted information on the Citrix appliance.

prevent

Ensures users operate with the minimum set of privileges required, preventing the limited information disclosure granted to low-privileged accounts.

prevent

Enforces information flow policies between security domains to stop unauthorized disclosure of restricted data over the network.

References