LiveActive security incident?Get immediate response
CVE Record

CVE-2021-4467: Positive Technologies MaxPatrol 8 & XSpider Remote DoS

Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Two Positive Technologies vulnerability scanning products, MaxPatrol 8 and XSpider, contain a flaw that lets an unauthenticated attacker on the network knock the scanner's client service offline. By flooding the service with connection requests, the attacker exhausts session resources and forces legitimate users off, disrupting the security team's ability to run scans.

Executive priority

Treat as a near-term operational risk, not a data-breach risk. The vulnerability disrupts your vulnerability scanning capability, which can blind security operations during an incident. Prioritize network restriction this sprint and engage the vendor for a patch timeline.

Technical view

The client communication service on TCP/2002 issues a new session identifier per incoming HTTPS connection without rate limits or concurrency caps (CWE-400). Repeated unauthenticated requests cause session ID collisions, evicting active sessions. CVSS 4.0 scores 8.7 with availability-only impact (VA:H); confidentiality and integrity are unaffected. Public PoCs are referenced in the source bundle.

Likely exposure

Exposure is limited to organizations running MaxPatrol 8 or XSpider servers where TCP/2002 is reachable from untrusted networks. Internet-facing scanner consoles are higher risk; segmented deployments where management ports are restricted to admin VLANs see substantially lower practical exposure.

Exploitation context

Not listed in CISA KEV. The source bundle cites two public exploit references (vulners.com 1337DAY-ID-36775 and cxsecurity WLB-2021090114), indicating proof-of-concept material is available, but no cited source confirms active in-the-wild exploitation. Attack requires only network reach and no credentials.

Researcher notes

Pure availability flaw (CVSS VA:H, VC:N, VI:N) rooted in unbounded session ID allocation on the TCP/2002 client service. Affected version data is "0" / unknown in the bundle, so version triage requires vendor confirmation. PoCs are referenced publicly; treat any internet-exposed instance as opportunistically targetable. No fix is named in the cited sources — defer to Positive Technologies advisories.

Mitigation direction

  • Restrict TCP/2002 to trusted management networks via firewall or ACL.
  • Check Positive Technologies vendor guidance for an official fix or hardening advisory.
  • Place scanner consoles behind a VPN or jump host rather than on shared networks.
  • Monitor scanner availability and alert on abnormal disconnect rates.
  • Inventory MaxPatrol 8 and XSpider deployments and confirm exposure of port 2002.

Validation and detection

  • Identify all MaxPatrol 8 and XSpider servers and confirm versions in use.
  • Test reachability of TCP/2002 from untrusted network segments.
  • Review firewall and network segmentation policies covering scanner management ports.
  • Confirm with vendor support whether an updated build addresses CWE-400 session handling.
  • Verify monitoring captures scanner session drops and service restarts.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-400: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-4467 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2021-4467Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Positive TechnologiesMaxPatrol 8 (Server)0unknown
Positive TechnologiesXSpider (Server)0unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-400 · source CWE mapping

Uncontrolled Resource Consumption

Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.