CVE-2021-22941

CRITICAL KEV RANSOMWARE

Citrix ShareFile <5.11.20 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2021-22941 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including hoav18, pratikjojode.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-22941, a remote code execution vulnerability in Citrix ShareFile. The exploit leverages a path traversal flaw to upload a malicious ASPX shell, enabling arbitrary command execution.

Description

Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

Exploits (3)

nomisec WORKING POC 14 stars

by hoav18 · poc

https://github.com/hoav18/CVE-2021-22941

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-22941, a remote code execution vulnerability in Citrix ShareFile. The exploit leverages a path traversal flaw to upload a malicious ASPX shell, enabling arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Citrix ShareFile

No auth needed

Prerequisites: Network access to the vulnerable Citrix ShareFile instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by pratikjojode · poc

https://github.com/pratikjojode/citrix-cve-2021-22941-lab

View Code ZIP pw:eip

This repository contains a mock server simulating CVE-2021-22941, a path traversal vulnerability in Citrix ShareFile Storage Zones Controller. The server.py script replicates the vulnerable behavior of the Upload.aspx endpoint, demonstrating broken access control and path traversal risks.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Citrix ShareFile Storage Zones Controller

No auth needed

Prerequisites: Docker environment to run the mock server

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 19, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/hoavt184/cve-2021-22941

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-22941, a remote code execution vulnerability in Citrix ShareFile. The exploit leverages a path traversal and file upload vulnerability to deploy a malicious ASPX shell or execute arbitrary commands via a crafted multipart form request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Citrix ShareFile

No auth needed

Prerequisites: Network access to the target ShareFile instance · Ability to send HTTP requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22941

Broken Link, Vendor Advisory x_refsource_misc

https://support.citrix.com/article/CTX328123

Scores

CVSS v3 9.8

EPSS 0.8849

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-07

InTheWild.io 2021-09-21

ENISA EUVD EUVD-2021-10070

Ransomware Use Confirmed

CWE

CWE-284

Status published

Products (1)

citrix/sharefile_storagezones_controller < 5.11.20

Published Sep 23, 2021

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026