Security Advisory 2020-040

Release Date:

Critical Vulnerabilities in Citrix XenMobile



  • 12/08/2020 --- v1.0 -- Initial publication


On 11th of August, Citrix released a blog post [1] and Security Update [2] about critical vulnerabilities affected XenMobile servers products.

No technical details were shared by Citrix, however some sources [3] indicate that by combining some of those vulnerabilities, an unauthenticated attackers could gain admin control on XenMobile Servers if exploitation is successful.

Citrix recommends these upgrades be made immediately. As of this writing, there are no known exploits. However, by analysing security patches, attacker could quickly identify exploits for these vulnerabilities and start scanning for victims exposing XenMobile servers on Internet.

Technical Details

The vulnerabilities were assigned the following CVEs:

  • CVE-2020-8208
  • CVE-2020-8209
  • CVE-2020-8210
  • CVE-2020-8211
  • CVE-2020-8212

No technical details are available at the time of this writing.

Products Affected

These critical vulnerabilities affect several products:

  • XenMobile Server 10.12 before RP2
  • XenMobile Server 10.11 before RP4
  • XenMobile Server 10.10 before RP6
  • XenMobile Server before 10.9 RP5

Other versions of the same products are affected by medium and low vulnerabilities:

  • XenMobile Server 10.12 before RP3
  • XenMobile Server 10.11 before RP6

Remediations have already been applied to cloud versions of XenMobile server.


Citrix has released Rolling Patches for Citrix Endpoint Management (CEM) [2]:

  • XenMobile Server 10.12 RP3
  • XenMobile Server 10.11 RP6
  • XenMobile Server 10.10 RP6
  • XenMobile Server 10.9 RP5





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.