CVE-2021-22941

CVE-2021-22941 is a critical-severity vulnerability in Citrix Sharefile Storagezones Controller with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-284.

Key facts

Description

Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

CVE-2021-22941: Unauthenticated Remote Compromise in Citrix ShareFile Storage Zones Controller

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2021-22941 is a critical improper access control vulnerability affecting Citrix ShareFile Storage Zones Controller versions prior to 5.11.20. The flaw enables an unauthenticated, remote attacker to bypass authentication controls and compromise the Storage Zones Controller entirely. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on 25 March 2022, and the EU Cybersecurity Agency also flags it as actively exploited since the same date.

Background

Citrix ShareFile Storage Zones Controller is an on-premises component that enables enterprises to store sensitive file data in their own data centers while integrating with the ShareFile cloud service. It handles authentication, file upload/download proxies, and storage zone management. Because it sits at the edge of the network and processes unauthenticated requests before routing to backend storage, any access-control flaw can have immediate and severe consequences.

Root Cause

The vulnerability is classified under CWE-284: Improper Access Control. The Storage Zones Controller failed to enforce adequate authorization checks on a specific request path or parameter, allowing an attacker to interact with administrative or internal functionality without presenting valid credentials. The underlying weakness is a missing or insufficient authorization boundary, not a memory corruption or injection flaw. This means the application trusted certain request properties that an attacker could freely manipulate.

Impact

The National Vulnerability Database rates this flaw with a CVSS v2 base score of 10.0 and a CVSS v3.1 base score of 9.8 (Critical). The metrics paint a severe picture:

  • Attack Vector (AV): Network — the vulnerability is exploitable remotely over the internet.
  • Attack Complexity (AC): Low — no special conditions or advanced techniques are required.
  • Privileges Required (PR): None — the attacker does not need any prior access or credentials.
  • User Interaction (UI): None — the attack is fully automated and does not rely on a victim clicking a link or opening a file.
  • Scope (S): Unchanged — the vulnerable component itself is compromised.
  • Impact on Confidentiality (C), Integrity (I), and Availability (A): All rated High under CVSS v3.1 and Complete under CVSS v2.

In practical terms, a successful exploit grants the attacker full control over the Storage Zones Controller, including access to stored files, configuration data, and the ability to pivot further into the internal network.

Exploitation Walkthrough

Ethics and Legal Notice: The following description is provided for defensive and awareness purposes only. Attempting to exploit systems without explicit authorization is illegal in most jurisdictions.

The attack surface is the publicly reachable Storage Zones Controller endpoint. Because the vulnerability is an access-control bypass, an attacker crafts a specially formed HTTP request that reaches an internal or administrative interface that should require authentication. The exact URI and parameter combination are not detailed in public sources, but the flaw is straightforward enough that exploitation is considered trivial. Once the bypass is achieved, the attacker can upload arbitrary files, modify configuration, or extract stored data. The vulnerability is particularly dangerous because it requires no pre-existing foothold or user interaction.

Affected and Patched Versions

  • Affected: Citrix ShareFile Storage Zones Controller versions before 5.11.20.
  • Patched: Version 5.11.20 and later.

Administrators should verify the installed version via the Storage Zones Controller management console or by checking the version string in the web interface footer.

Remediation

  1. Upgrade immediately to Citrix ShareFile Storage Zones Controller 5.11.20 or later. Citrix released the fixed version in a security bulletin referenced by CISA.
  2. If immediate patching is not possible, apply the following compensating controls:
    • Restrict network access to the Storage Zones Controller management interface to trusted IP ranges using firewall rules or VPN enforcement.
    • Deploy a Web Application Firewall (WAF) rule that blocks known malicious request patterns targeting this endpoint. Monitor vendor and security community feeds for specific signatures.
    • Disable or remove the Storage Zones Controller from internet-facing exposure until it can be patched.

Detection

  • Monitor web server logs for unusual HTTP requests to the Storage Zones Controller that do not originate from authenticated sessions.
  • Look for unexpected file uploads, configuration changes, or authentication events in the ShareFile audit logs.
  • Correlate endpoint and network detection with the CISA Known Exploited Vulnerabilities (KEV) catalog entry and EU vulnerability database (EUVD-2021-10070) to prioritize hunting.
  • An EPSS score of 0.53585 (53.6% probability of exploitation in the wild within 30 days) and an EPSS percentile of 98.9 indicate this is among the most actively exploited flaws tracked by the community.

Assessment

CVE-2021-22941 is a textbook example of how a single missing authorization check can lead to total compromise. The combination of a CVSS 9.8 severity, publicly known exploitation since early 2022, and an EPSS score above 0.5 makes this a high-priority patching item. The CISA KEV and EU exploited-vulnerability designations mean that federal and enterprise procurement environments may impose compliance deadlines. Two key lessons emerge:

  1. Authentication boundaries must be enforced at every layer. Edge-facing components that proxy internal services are especially prone to access-control gaps.
  2. High EPSS scores with KEV confirmation should drive patching ahead of routine maintenance windows. The data indicates that exploitation is not theoretical; it is happening at scale.

References

Frequently asked questions

What is CVE-2021-22941?
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
How severe is CVE-2021-22941?
CVE-2021-22941 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-22941 being actively exploited?
Yes. CVE-2021-22941 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-22941?
CVE-2021-22941 affects Citrix Sharefile Storagezones Controller. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-22941?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-22941 have an EU (EUVD) identifier?
Yes. CVE-2021-22941 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-10070. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2021-22941 published?
CVE-2021-22941 was published on 2021-09-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Citrix Sharefile Storagezones Controller

All CVEs affecting Citrix Sharefile Storagezones Controller →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →