CVE-2021-22941
Published: 23 September 2021
Summary
CVE-2021-22941 is a critical-severity Improper Access Control (CWE-284) vulnerability in Citrix Sharefile Storagezones Controller. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
CVE-2021-22941 is an improper access control vulnerability, tracked under CWE-284, that affects Citrix ShareFile storage zones controller versions prior to 5.11.20. The flaw resides in the storage zones controller component and carries a CVSS 3.1 base score of 9.8, reflecting a network-accessible attack with low complexity and no authentication or user interaction required.
An unauthenticated remote attacker can exploit the weakness to fully compromise the storage zones controller, obtaining unauthorized access that impacts the confidentiality, integrity, and availability of the affected system.
Citrix has published remediation guidance in article CTX328123, which addresses the affected storage zones controller releases. The vulnerability is also catalogued by CISA as actively exploited in the wild, confirming real-world attacks against unpatched deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10070
Vulnerability details
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies to block unauthenticated remote requests to the ShareFile storage zones controller.
Requires explicit authorization and connection restrictions for all remote access paths into the storage zones controller.
Applies boundary protections that deny unauthorized network traffic before it reaches the vulnerable controller component.