Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66391

CVE-2025-66391: Citrix Cloud Auth Bypass Vulnerability

CVE-2025-66391 is an authentication bypass flaw in Citrix Cloud allowing read-only accounts to initiate write operations like password resets. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-66391 Overview

CVE-2025-66391 is a broken access control vulnerability [CWE-284] in Citrix Cloud through 2025-11-10. An account holding only read-only privileges can initiate workflows reserved for write operations. The most impactful example involves the password reset flow. An attacker with read-only access can trigger a password reset for another user account and direct the one-time password (OTP) to an attacker-controlled email address. This bypasses the authorization boundary between read and write roles and enables account takeover within the Citrix Cloud tenant.

Critical Impact

A low-privileged read-only account can initiate password reset workflows for other users and receive the OTP at an attacker-controlled email address, enabling full account takeover in Citrix Cloud.

Affected Products

  • Citrix Cloud (citrix.cloud.com) through 2025-11-10
  • Tenants using built-in role-based access control with read-only accounts
  • All authenticated administrative workflows that lack server-side write-action enforcement

Discovery Timeline

  • 2026-06-17 - CVE-2025-66391 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66391

Vulnerability Analysis

The vulnerability stems from inconsistent authorization enforcement between the user interface (UI) and the backing workflow APIs in Citrix Cloud. The UI restricts read-only accounts from invoking write actions, but the backend workflow endpoints do not re-validate role membership before initiating state-changing operations. An attacker authenticated as a read-only user can issue the same API requests that a privileged administrator would. The server proceeds to start the workflow, including sending an OTP for password reset to an email address supplied by the attacker. This is a classic business logic flaw combined with a missing authorization check.

Root Cause

The root cause is improper access control [CWE-284] on workflow initiation endpoints. The platform trusts the client to enforce role boundaries instead of validating the caller's effective permissions on each request. Workflows that should require write privileges accept calls from read-only principals.

Attack Vector

An attacker requires a valid read-only Citrix Cloud account on the target tenant. From an authenticated session, the attacker invokes the password reset workflow against a higher-privileged user. The platform issues an OTP and delivers it to the email address the attacker supplies during the workflow. The attacker uses the OTP to complete the password reset and assume control of the targeted identity. A public proof-of-concept is published at the GitHub Exploit for CVE-2025-66391.

// No verified exploit code is reproduced here.
// Refer to the published PoC for the request sequence and parameters.

Detection Methods for CVE-2025-66391

Indicators of Compromise

  • Password reset events for administrative accounts initiated by read-only principals in Citrix Cloud audit logs
  • OTP delivery destinations that do not match the registered email of the target user
  • Successful authentication events for accounts immediately following an out-of-band password reset
  • Repeated workflow initiation API calls from a single low-privileged identity targeting multiple users

Detection Strategies

  • Correlate Citrix Cloud audit events where the actor role is read-only with workflow types that perform write operations such as ResetPassword or InviteUser.
  • Alert on password reset workflows where the recipient email domain differs from the targeted user's known domain.
  • Baseline normal workflow initiation volume per identity and flag deviations from read-only accounts.

Monitoring Recommendations

  • Forward Citrix Cloud system and admin audit logs to your SIEM and retain at least 90 days of history.
  • Monitor authentication trail changes — particularly password reset completions — for administrative and break-glass accounts.
  • Review the membership of read-only roles weekly and confirm that no accounts have been granted unintended privileges.

How to Mitigate CVE-2025-66391

Immediate Actions Required

  • Audit all Citrix Cloud accounts assigned read-only roles and remove unnecessary access.
  • Enforce multi-factor authentication (MFA) on all administrative identities so that an OTP-based password reset alone does not grant access.
  • Review recent password reset events and validate that each was authorized by the legitimate user.
  • Rotate credentials for any administrative account that experienced an unexplained reset workflow.

Patch Information

No vendor advisory or fixed-build identifier is listed in the NVD record at the time of publication. Monitor the Citrix Cloud console and official Citrix security bulletins for an authoritative fix. Apply tenant-side mitigations until a platform fix is confirmed.

Workarounds

  • Remove read-only role assignments from accounts that do not require ongoing administrative visibility.
  • Require MFA on every Citrix Cloud identity so a reset OTP is insufficient to complete authentication.
  • Restrict Citrix Cloud administrative console access to trusted networks using conditional access policies on the upstream identity provider.
  • Subscribe to email and SMS notifications for password change events on privileged accounts to enable rapid response.
bash
# Example: review Citrix Cloud admin role assignments via the identity provider
# Replace placeholders with your tenant identifiers
#
# 1. List administrators and their assigned roles
# 2. Remove read-only role from accounts that do not need it
# 3. Enforce MFA policy on the Citrix Cloud application
#
# Consult your IdP documentation (Entra ID, Okta, etc.) for the exact commands.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne