Search
On this page ▾
CVE-2017-6316 — Citrix Multiple Products Remote Code Execution Vulnerability

CVE-2017-6316

Citrix NetScaler SD-WAN / CloudBridge / XenMobile — Unauthenticated RCE via Management Interface Command Injection; CRITICAL 9.8; Patched July 2017
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Are Citrix NetScaler SD-WAN and XenMobile?

Citrix NetScaler SD-WAN (formerly CloudBridge) is an enterprise WAN optimization and SD-WAN appliance used by large organizations to manage and accelerate wide-area network connectivity across branch offices and cloud infrastructure. Citrix XenMobile Server is an enterprise mobile device management (MDM) platform for managing corporate smartphones, tablets, and mobile applications. Both products are deployed at the network edge and management layer — positions of high trust and visibility. Compromising SD-WAN infrastructure gives an attacker network visibility and traffic manipulation capability; compromising XenMobile gives access to all managed mobile device policies, enrolled devices, and enterprise application configurations.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-6316 is a critical remote code execution vulnerability in the management interfaces of Citrix NetScaler SD-WAN Enterprise Edition, Standard Edition, Citrix CloudBridge Virtual WAN Edition, and Citrix XenMobile Server. An unauthenticated remote attacker can execute arbitrary OS commands as root via a specially crafted request to the management interface. Fixed via Citrix Security Bulletin CTX220023 (July 2017). CISA added CVE-2017-6316 to the KEV catalog in March 2022 reflecting confirmed exploitation against enterprise network infrastructure.

Affected Versions

Product Vulnerable Versions Fixed Version
Citrix NetScaler SD-WAN Enterprise Edition Versions prior to CTX220023 patch Apply CTX220023
Citrix NetScaler SD-WAN Standard Edition Versions prior to CTX220023 patch Apply CTX220023
Citrix CloudBridge Virtual WAN Edition Versions prior to CTX220023 patch Apply CTX220023
Citrix XenMobile Server Affected versions Apply CTX220023

See Citrix CTX220023 for specific version ranges and hotfix downloads.

Technical Details

Root Cause: Unauthenticated Command Injection in Management Interface

CVE-2017-6316 is an OS command injection vulnerability (CWE-78) in the management web interface shared across Citrix NetScaler SD-WAN, CloudBridge, and XenMobile. The management interface exposes administrative functionality that, in vulnerable versions, fails to authenticate requests before passing user-supplied parameters to underlying system commands.

Attack characteristics:

  • The management interface is the primary attack surface — it handles configuration, monitoring, and diagnostics for the SD-WAN/MDM appliance
  • Specific management endpoints accept parameters that are passed unsanitized to shell commands
  • No authentication is required for the vulnerable endpoints in affected versions
  • Code execution occurs as the root/system user on the appliance OS

Affected platform significance: SD-WAN appliances process all WAN traffic flowing between enterprise sites and cloud environments; root access on a SD-WAN node gives complete network visibility and the ability to manipulate traffic, redirect connections, and intercept unencrypted data. XenMobile server compromise exposes all enrolled mobile device data and configuration, enabling MDM policy manipulation.

Attack Characteristics

Attribute Detail
Attack Vector Network — unauthenticated HTTP to management interface
Authentication None required
Impact Root RCE on SD-WAN/MDM appliance
Affected Position Network edge (SD-WAN) and MDM management plane (XenMobile)

Discovery

Discovered by security researchers and reported to Citrix; patched via CTX220023 in July 2017.

Exploitation Context

  • Enterprise network infrastructure targeting: SD-WAN and MDM platforms are high-value targets for persistent access; a compromised SD-WAN node provides traffic interception across all connected sites; a compromised XenMobile gives access to corporate mobile device management
  • Citrix as recurring attack surface: Citrix network and access products have been repeatedly targeted (CVE-2019-19781, CVE-2023-3519, CVE-2024-8069 in subsequent years); CVE-2017-6316 established the pattern of Citrix management interface exploitation
  • CISA KEV (2022): Added March 25, 2022 alongside other network infrastructure vulnerabilities, reflecting confirmed exploitation by threat actors targeting enterprise network and access management infrastructure

Remediation

CISA BOD 22-01 Deadline: April 15, 2022. Apply updates per vendor instructions.

  1. Apply Citrix CTX220023 patch — apply the software updates specified in Citrix Security Bulletin CTX220023 for each affected product; check the Citrix support site for specific hotfix packages for your product and version.

  2. Restrict management interface access — ensure the NetScaler SD-WAN and XenMobile management interfaces are not accessible from untrusted networks; management interfaces should only be accessible from a dedicated management VLAN with strict ACLs.

  3. Implement two-factor authentication for management access — enable MFA on Citrix management interfaces to reduce the impact of any future authentication vulnerabilities; multi-factor authentication is a critical control for privileged network infrastructure management.

  4. Review management interface access logs — audit logs for unexpected or unauthorized access to the SD-WAN or XenMobile management interface; look for successful authentications from unexpected source IP addresses or at unusual times.

  5. Apply subsequent Citrix security updates — Citrix products have had numerous subsequent security vulnerabilities; maintain a regular patching cadence for all Citrix products and monitor Citrix security bulletins (support.citrix.com/securitybulletins) for new advisories.

Key Details

PropertyValue
CVE ID CVE-2017-6316
Vendor / Product Citrix — NetScaler SD-WAN Enterprise, CloudBridge Virtual WAN, and XenMobile Server
NVD Published2017-07-20
NVD Last Modified2025-10-22
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. Apply updates per vendor instructions.

Timeline

DateEvent
2017-07-17Citrix releases patches for CVE-2017-6316 via CTX220023
2017-07-20CVE-2017-6316 published by NVD
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-6316 Vulnerability Database
CISA KEV Catalog Entry US Government
Citrix Security Bulletin CTX220023 Vendor Advisory

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML