CVE-2011-2882

Citrix Access Gateway Enterprise Edition 8.1-67.7 9.0-70.5 9.1-96.4 - Remote Code Execution via Crafted HTTP Header Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-2882. PoCs published by Metasploit, Michal Trojnara, bannedit, sinn3r, including Metasploit module exploits/windows/browser/citrix_gateway_actx.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in the Citrix Gateway ActiveX control (CVE-2011-2882) via a malicious HTML page. It uses heap spraying and a crafted CSEC parameter to achieve remote code execution when the victim interacts with a dialog.

Description

Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/17762

This Metasploit module exploits a stack-based buffer overflow in the Citrix Gateway ActiveX control (CVE-2011-2882) via a malicious HTML page. It uses heap spraying and a crafted CSEC parameter to achieve remote code execution when the victim interacts with a dialog.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Gateway ActiveX Control (nsepa.ocx)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Victim must interact with a dialog to trigger the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Michal Trojnara, bannedit, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/citrix_gateway_actx.rb

This Metasploit module exploits a stack-based buffer overflow in the Citrix Gateway ActiveX control (CVE-2011-2882) via a malicious HTML page. It uses heap spraying and a crafted CSEC parameter to achieve remote code execution when a user interacts with the exploit page.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix Gateway ActiveX control (nsepa.ocx)
No auth needed
Prerequisites: Victim must visit a malicious webpage · ActiveX control must be installed and enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8358
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=929

Scores

EPSS 0.5637
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (3)
citrix/access_gateway 8.1
citrix/access_gateway 9.0
citrix/access_gateway 9.1
Published Jul 21, 2011
Tracked Since Feb 18, 2026