PatchSiren cyber security CVE debrief

CVE-2017-5571 Flexerasoftware CVE debrief

CVE-2017-5571 is an open redirect vulnerability in the lmadmin component of Flexera FlexNet Publisher 11.14.1 and earlier. According to the NVD record, this issue can let a remote attacker redirect users to arbitrary websites and support phishing attacks. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which aligns with a user-interaction-driven web redirection issue rather than direct system compromise.

Vendor: Flexerasoftware
Product: CVE-2017-5571
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for Flexera FlexNet Publisher / lmadmin deployments, especially Citrix License Server for Windows and Citrix License Server VPX. End-user support teams should also care because the main risk is user redirection and phishing.

Technical summary

The source corpus identifies CWE-601 (open redirect) in lmadmin, with affected FlexNet Publisher versions up to and including 11.14.1. The issue is network-reachable, requires no privileges, and depends on user interaction. The primary impact is limited confidentiality and integrity exposure through deceptive redirection, not direct availability impact.

Defensive priority

Medium. Prioritize remediation on any exposed or user-facing deployment because the flaw can be used for phishing and trust abuse, especially where license-server links are shared externally or embedded in workflows.

Recommended defensive actions

Inventory any deployments of Flexera FlexNet Publisher lmadmin and Citrix License Server for Windows/VPX.
Upgrade or migrate away from affected versions at or below FlexNet Publisher 11.14.1, following vendor remediation guidance in the cited Citrix/Flexera-related advisories.
Restrict access to admin and license-management interfaces to trusted networks or authenticated users only.
Review any links or redirects generated by the application and apply allowlist-based validation where possible.
Educate users to verify destination URLs before following license-server or support links.
Monitor web logs for unusual redirect patterns or repeated requests to redirect-style endpoints.
If external exposure cannot be eliminated quickly, place the service behind VPN, reverse proxy controls, or other access restrictions.

Evidence notes

The NVD metadata for CVE-2017-5571 states an open redirect in lmadmin and maps the issue to CWE-601. It lists affected CPE criteria for flexerasoftware:flexnet_publisher versions up to and including 11.14.1 and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The supplied reference set also includes Citrix, ICS-CERT, SecurityFocus, and Schneider Electric advisories, indicating multi-vendor awareness of the underlying FlexNet Publisher component.

Official resources

CVE-2017-5571 CVE record
CVE.org
CVE-2017-5571 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Published in NVD on 2017-03-03T15:59:00.883Z; the supplied NVD record was last modified on 2026-05-13T00:24:29.033Z. The issue is described in the corpus as affecting Flexera FlexNet Publisher 11.14.1 and earlier, including Citrix License-