Security readout for executives and security teams
Plain-English summary
Two Positive Technologies vulnerability scanning products, MaxPatrol 8 and XSpider, contain a flaw that lets an unauthenticated attacker on the network knock the scanner's client service offline. By flooding the service with connection requests, the attacker exhausts session resources and forces legitimate users off, disrupting the security team's ability to run scans.
Executive priority
Treat as a near-term operational risk, not a data-breach risk. The vulnerability disrupts your vulnerability scanning capability, which can blind security operations during an incident. Prioritize network restriction this sprint and engage the vendor for a patch timeline.
Technical view
The client communication service on TCP/2002 issues a new session identifier per incoming HTTPS connection without rate limits or concurrency caps (CWE-400). Repeated unauthenticated requests cause session ID collisions, evicting active sessions. CVSS 4.0 scores 8.7 with availability-only impact (VA:H); confidentiality and integrity are unaffected. Public PoCs are referenced in the source bundle.
Likely exposure
Exposure is limited to organizations running MaxPatrol 8 or XSpider servers where TCP/2002 is reachable from untrusted networks. Internet-facing scanner consoles are higher risk; segmented deployments where management ports are restricted to admin VLANs see substantially lower practical exposure.
Exploitation context
Not listed in CISA KEV. The source bundle cites two public exploit references (vulners.com 1337DAY-ID-36775 and cxsecurity WLB-2021090114), indicating proof-of-concept material is available, but no cited source confirms active in-the-wild exploitation. Attack requires only network reach and no credentials.
Researcher notes
Pure availability flaw (CVSS VA:H, VC:N, VI:N) rooted in unbounded session ID allocation on the TCP/2002 client service. Affected version data is "0" / unknown in the bundle, so version triage requires vendor confirmation. PoCs are referenced publicly; treat any internet-exposed instance as opportunistically targetable. No fix is named in the cited sources — defer to Positive Technologies advisories.
Mitigation direction
- Restrict TCP/2002 to trusted management networks via firewall or ACL.
- Check Positive Technologies vendor guidance for an official fix or hardening advisory.
- Place scanner consoles behind a VPN or jump host rather than on shared networks.
- Monitor scanner availability and alert on abnormal disconnect rates.
- Inventory MaxPatrol 8 and XSpider deployments and confirm exposure of port 2002.
Validation and detection
- Identify all MaxPatrol 8 and XSpider servers and confirm versions in use.
- Test reachability of TCP/2002 from untrusted network segments.
- Review firewall and network segmentation policies covering scanner management ports.
- Confirm with vendor support whether an updated build addresses CWE-400 session handling.
- Verify monitoring captures scanner session drops and service restarts.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2021-4467 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.7 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
8.7HighVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://vulners.com/zdt/1337DAY-ID-36775CVE reference · exploit
- https://cxsecurity.com/issue/WLB-2021090114CVE reference · exploit
- https://www.ptsecurity.com/CVE reference · product
- https://www.vulncheck.com/advisories/positive-technologies-maxpatrol-8-and-xspider-remote-dosCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
