On Wednesday, Citrix issued patches for several new security flaws impacting its Citrix Endpoint Management (CEM), also called XenMobile, a product made for companies to manage and protect their employees’ mobile devices remotely.

Citrix Endpoint Management lets companies control which apps their employees can install while ensuring updates and security settings are implemented to keep business data secure.

Citrix says there are as many as 5 flaws that impact on-premise occurrences of XenMobile servers used in companies to manage all apps, devices, or platforms from one key location.

“Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance,” the company said in a post today.

Left unfixed and exploited effectively, the newly recognized security flaws could together allow unauthenticated hackers to gain administrative privileges on impacted XenMobile Servers.

Tracked as CVE-2020-8208 and CVE-2020-8209 and rated as critical, the two vulnerabilities affect the following XenMobile Server versions:

  • XenMobile Server 10.12 before RP2
  • XenMobile Server 10.11 before RP4
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

One of the major flaws (CVE-2020-8209), found by Andrey Medov of Positive Technologies, could let an unverified hacker to read random files outside the web-server root directory.

The company still has not divulged technical details of the flaws but has already pre-notified numerous major CERTs around the globe and its customers on July 23.

Leave a Reply

Your email address will not be published. Required fields are marked *