Surfacing a major write-up that landed last week and deserves wider attention.
Shittrix — https://shittrix.moksha.dk/ — is a public security audit of Citrix XenServer and XCP-ng (XAPI) by independent researcher Jakob Wolffhechel of Moksha (Copenhagen), published April 24, 2026.
What was disclosed
- 89 independently exploitable vulnerabilities rooted in 5 architectural failures
- 5 critical findings (CVSS 9.1–9.9) enabling full host compromise from a low-privilege guest, including:
- BOC-1 (CVSS 9.9) — arbitrary host device mounting via VBD configuration
- SMC-1 (CVSS 9.9) — storage protocol injection through hypervisor-as-proxy
- VOC-1 (CVSS 9.9) — system domain privilege escalation
- PDC-1 / PDC-2 (CVSS 9.1) — iSCSI and NFS server redirection
- Every writable
Map(String,String)field across 8 object types has zero input validation - Conditions traceable back to ~2006 — every shipped version of XenServer is in scope
Cross-VM data exfiltration, filesystem read/write, and cross-hypervisor-boundary impact on shared storage extend exposure to Proxmox, VMware, and Nutanix deployments sharing backends with affected XenServer/XCP-ng hosts.
Why it’s a day-0 release
Wolffhechel went out without an embargo, citing a lack of vendor responsiveness and CVE pipeline delays. He’s holding patches privately and has extended a conditional offer to Vates only. Detection rules (42 across 5 categories) are available on request.
Advisory hub: https://cna.moksha.dk/
Researcher contact: jakob@wolffhechel.dk / Signal +45 3170 7337
A note on disclosure channels — they were discoverable
We want to be fair to both sides here. The framing in the advisory leans on “no bug bounty program, no contact pipeline.” Worth flagging for the community that the channels were in fact publicly discoverable:
- Cloud Software Group (Citrix’s parent) runs a HackerOne program: HackerOne
- CSG CSIRT is a FIRST member with a published team page and email (
csirt@cloud.com): Cloud Software Group CSIRT - Standard PSIRT conventions (
security@citrix.com) and CERT/CC (VINCE) coordination were also available as escalation paths
That doesn’t dispute the researcher’s experience — vendor responsiveness is a separate question from whether channels exist — but it’s important context when the community debates the day-0 decision. “Discoverable channels were ignored / slow” is a different critique than “no channels existed,” and the disclose.io project cares about getting that distinction right.
Why this matters for disclose.io
This is the gap we exist to close. Whether the channels were missed, ignored, or judged inadequate, the meta-problem is that finding a vendor’s real disclosure path still costs researchers more time than it should — and “I couldn’t find one” is still the most common justification for skipping coordination.
If you’re a researcher trying to find a real security contact at a vendor before considering day-0, https://lookup.disclose.io/ takes any input — domain, IP, email, URL, ASN — and resolves it to the organization behind it, plus their disclosure program, safe harbor status, PSIRT membership, and security contacts. (For the record: a lookup of citrix.com surfaces the CSG HackerOne program and the FIRST CSIRT entry above in a couple of seconds.)
— shared in the spirit of “make vulnerability disclosure safe, simple, and standardized.”