Jakob Wolffhechel, an independent security researcher operating as Moksha in Copenhagen, Denmark, conducted a 9-week audit of XAPI - the management software that runs Citrix XenServer and XCP-ng hypervisors. He found 89 independently exploitable security vulnerabilities rooted in a single class of missing input validation. The vulnerabilities have existed since the software was first written, approximately 20 years ago. Every version of Citrix XenServer ever released is affected. A user with the lowest delegated management role can achieve full control of the hypervisor host, read any virtual machine's data, and move laterally across the datacenter - through single API calls with no exploit code and no security alerts.
The findings were disclosed publicly on 2026-04-24 without vendor pre-notification. The researcher consulted a cybersecurity lawyer before publication, submitted CVE reservations to MITRE 15 days in advance (no response), and notified CERT/CC one day before release. Citrix was not contacted because XenServer is excluded from their bug bounty program and Citrix controls their own CVE severity assignment as their own numbering authority.
| Metric | Value |
|---|---|
| Independently exploitable vulnerabilities | 89 |
| Critical findings (CVSS 9.1 - 9.9) | 5 |
| High findings (CVSS 7.0 - 8.9) | 28 |
| Audit duration | 9 weeks, one researcher |
| Exposure window | ~20 years (since XAPI was first written, ~2006) |
| Affected versions | All - every version of Citrix XenServer / Hypervisor |
| Fix size | ~200 lines of OCaml (the programming language XAPI is written in) |
| Proof-of-concept scripts | 124 (Python, shared framework) |
| IDS detection rules | 74 (in Sigma format, convertible to any SIEM) |
XAPI is the management stack for Citrix XenServer (a commercial hypervisor sold to enterprises) and XCP-ng (its open-source counterpart). A hypervisor is the software layer that runs virtual machines in datacenters. XAPI controls which virtual machines run on which physical servers, how they access storage, and who is allowed to manage them.
When XAPI is compromised, the attacker controls the hypervisor. This means access to every virtual machine on the server, every disk, every network connection, and every credential stored in those virtual machines. The vulnerabilities found in this audit allow this level of access from the lowest management role - equivalent to giving a janitor the keys to every office in the building because the lock manufacturer never checked what keys were being cut.
Jakob Wolffhechel is an independent security researcher based in Copenhagen, Denmark. He operates as Moksha, a single-person consultancy. The research was self-funded with no vendor sponsorship, no bug bounty compensation, and no competing commercial interests. All testing was conducted on infrastructure owned by the researcher.
| Resource | URL |
|---|---|
| Main disclosure page | shittrix.moksha.dk |
| Per-advisory site (89 advisories) | cna.moksha.dk |
| GNA #117 (GCVE Numbering Authority) | gcve.eu/gna |
| FAQ | shittrix.moksha.dk/faq |
| Disclosure timeline | shittrix.moksha.dk/timeline |
| Disclosure rationale | shittrix.moksha.dk/rationale |
| Architectural root causes | shittrix.moksha.dk/architecture |
All material on shittrix.moksha.dk and cna.moksha.dk may be quoted, excerpted, and referenced freely with attribution to Jakob Wolffhechel, Moksha. No permission request is needed. Screenshots of the advisory pages are welcome.
Email: jakob@wolffhechel.dk
Signal (preferred for sensitive discussion): +45 3170 7337
Phone: +45 3170 7337
The researcher is available for interviews, background briefings, and technical walkthroughs. Signal is preferred for pre-publication discussion.