CVE-2018-18013

HIGH

Citrix Xenmobile Server < 10.8.0 - Insecure Deserialization

Title source: rule

Description

* Xen Mobile through 10.8.0 includes a service listening on port 5001 within its firewall that accepts unauthenticated input. If this service is supplied with raw serialised Java objects, it deserialises them back into Java objects in memory, giving rise to a remote code execution vulnerability. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost.

References (1)

[Exploit, Third Party Advisory] https://advisories.dxw.com/advisories/xen-mobile-vulnerable-to-code-execution-via-object-serialisation/

Scores

CVSS v3 7.8

EPSS 0.0024

EPSS Percentile 47.2%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

citrix/xenmobile_server < 10.8.0

Timeline

Published Oct 24, 2018

Tracked Since Feb 18, 2026