An independent audit of the XAPI management stack has disclosed 89 critical vulnerabilities rooted in architectural failures, allowing a user with the lowest `vm-admin` role to achieve full host compromise, cross-VM data exfiltration, and storage protocol injection via single, unvalidated API calls. The vulnerabilities, scored CVSS 3.1 9.9 Critical, are present in all versions of Citrix XenServer/Hypervisor and XCP-ng since XAPI's inception (~2006). The article details specific attack vectors but does not provide information on a fixed version or available workarounds.
independent security audit - public disclosure Day-0 public disclosure 路 2026-04-24 08:00 CESTIndependent security research byJakob Wolffhechel路jakob@wolffhechel.dkMoksha 路 Copenhagen, Denmark This is the public disclosure of a 9-week independent security audit of XAPI, the management stack used byCitrix XenServer/Hypervisor(commercial) andXCP-ng(open-source, maintained by Vates). The researcher has named this disclosureShittrixfor the input-validation failures that it documents. The audit identified89 independently exploitable vulnerabilitiesrooted in 5 architectural failures. Every writable Map(String,String) field across 8 XAPI object types has zero input validation. The lowest delegated management role (vm-admin) can achieve full host filesystem read/write, cross-VM data exfiltration, storage protocol injection, cross-hypervisor lateral movement, and pool-wide compromise through single API calls with no exploit code, no root shell, and no security alerts. These vulnerabilities have existed since XAPI was first written (~2006). Every version of Citrix XenServer/Hypervisor is affected. Cloud Software Group is a signatory to CISA'sSecure by Design pledge, committing to reduce entire classes of vulnerability across its products. Designation:BOC-1 (Backend Override Control, Finding 1)CVSS 3.1: 9.9 Critical路 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCVSS 4.0: 9.4 Critical A user with thevm-adminrole (the lowest delegated management role in XCP-ng / Citrix Hypervisor) can mountany host block deviceas a guest virtual disk by writing an arbitrary filesystem path toVBD.other_config:backend-local. When the VBD is plugged, XAPI reads this key and passes the path directly toxenopsd- with no validation, no access control check, and only a warning-level log message. The vulnerability requires a single API call, no exploit code, no root or shell access, and produces no security alerts. Designation:SMC-1 (Storage Metadata Control, Finding 1)CVSS 3.1: 9.9 Critical路 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCVSS 4.0: 8.6 High A low-privilege user can inject storage protocol commands (iSCSI, NFS, FC, SMB) through the hypervisor by writing attacker-controlled values toVDI.sm_configandSR.sm_configfields. The hypervisor becomes a silent proxy, forwarding malformed commands to storage arrays. The traffic isindistinguishable from normal storage I/Ofrom the storage vendor's perspective. Storage array vendors (NetApp, Dell EMC, Pure Storage, HPE, and cloud-hosted storage services with iSCSI/NFS endpoints) operate on the assumption that commands arriving from a hypervisor host are trusted by that host. When the hypervisor itself is a silent proxy for attacker-controlled protocol commands, storage vendor detection capabilities do not apply - the traffic looks legitimate at the storage array layer. This is why SMC-1 is classified as multi-vendor and why detection rules (section 10) include storage-vendor-targeted signatures, not only XAPI-layer signatures. Designation:VOC-1 (VM Other Config, Finding 1)CVSS 3.1: 9.9 Critical路 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCVSS 4.0: 8.6 High Avm-admincan promote any VM tosystem domain statusby writingis_system_domain=truetoVM.other_config. This key is intended as an internal infrastructure flag set only by XAPI itself, butVM.other_confighas nomap_keys_rolesprotection for this key. System domain status is a privileged designation in XAPI. The function atsystem_domains.ml:30-35checksis_control_domain(read-only boolean) OR theother_configkey - and since theother_configpath has no RBAC, anyvm-admincan set it on any VM. Designation:PDC-1 (PBD Device Config, Finding 1)CVSS 3.1: 9.1 Critical路 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCVSS 4.0: 8.7 High Apool-operatorcan create an iSCSI SR withattacker-controlledtargetandtargetIQNvaluesinPBD.device_config. The SM driver reads these values and passes them directly toiscsiadmfor iSCSI discovery and login. The hypervisor connects to the attacker's iSCSI target instead of the legitimate storage array. This is a complete storage MITM. The attack flow: No IP address validation, no IQN format verification, no allowlist check at any point. The attacker serves malicious disk images to VMs, captures all VM I/O, and intercepts CHAP credentials in transit.