Description
Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue, stating "the researcher was unable to provide us with information that would allow us to confirm the behaviour and, despite extensive investigation on test deployments of supported products, we were unable to reproduce the behaviour as he described. The researcher has also, despite additional requests for information, ceased to respond to us."
Exploits (1)
exploitdb
WRITEUP
by Rithwik Jayasimha · textlocalmultiple
https://www.exploit-db.com/exploits/40686
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://vuldb.com/?id.93250
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037176
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/40686/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/139493/Citrix-Receiver-Receiver-Desktop-Lock-4.5-Authentication-Bypass.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94229
Scores
CVSS v3
6.8
EPSS
0.0260
EPSS Percentile
85.7%
Attack Vector
PHYSICAL
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-254
CWE-284
Status
published
Products (1)
citrix/receiver_desktop
4.5
Published
Nov 07, 2016
Tracked Since
Feb 18, 2026