CVE-2021-4467

Positive Technologies MaxPatrol 8 & XSpider Remote DoS

Assigner: VulnCheck
Reserved: 14.11.2025 Published: 14.11.2025 Updated: 18.11.2025

Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Positive Technologies
Product	MaxPatrol 8 (Server)
Versions	Default: unknown affected from 0 to 09.2020 (incl.)

Vendor

Positive Technologies

Product

MaxPatrol 8 (Server)

Versions

Default: unknown

affected from 0 to 09.2020 (incl.)

Vendor	Positive Technologies
Product	XSpider (Server)
Versions	Default: unknown affected from 0 to 09.2020 (incl.)

Vendor

Positive Technologies

Product

XSpider (Server)

Versions

Default: unknown

affected from 0 to 09.2020 (incl.)

Credits

AsCiI finder

References

Problem Types

CWE-400 Uncontrolled Resource Consumption CWE

Impacts

CAPEC-227 Sustained Client Engagement