Citrix and NSA urge admins to fix actively exploited zero-day in Citrix ADC and Gateway

Pierluigi Paganini December 13, 2022

Citrix urges customers to update their installs to fix actively exploited zero-day (CVE-2022-27518) in Citrix ADC and Gateway.

Citrix urges administrators to apply security updates for a zero-day vulnerability, tracked as CVE-2022-27518, in Citrix ADC and Gateway. The vulnerability is actively exploited by China-linked threat actors to gain access to target networks.

“We are aware of a small number of targeted attacks in the wild using this vulnerability.” reads a blog post published by the technology giant.

An unauthenticated, remote attacker can trigger the vulnerability to gain arbitrary code execution on the vulnerable appliance. 

“A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. ” reads the advisory published by the company. “Exploits of this issue on unmitigated appliances in the wild have been reported. The company strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Gateway as soon as possible”

According to the company, the vulnerability impacts Citrix ADC and Citrix Gateway 12.1 and 13.0 before 13.0-58.32 builds. ADC and Gateway version 13.1 is unaffected. 

The company urges customers who are using an impacted build with a SAML SP or IdP configuration to install the recommended versions immediately.

The advisory points out that there are no workarounds for this vulnerability.

Administrators can determine the configuration of their installation by inspecting the “ns.conf” file for the following two commands:

  • add authentication samlAction (Appliance is configured as a SAML SP)
  • add authentication samlIdPProfile (Appliance is configured as a SAML IdP)

The National Security Agency (NSA) has also released a Cybersecurity Advisory (CSA) with detection and mitigation guidance for tools leveraged by a malicious actor against ADC and Gateway. 

According to the intelligence agency, China-linked APT5 hackers (aka UNC2630 and MANGANESE) demonstrated capabilities against Application Delivery Controller (ADC™) deployments.

“As such, NSA, in collaboration with partners, has developed this threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments.” reads the NSA’s advisory. “This activity has been attributed to APT5, also known as UNC2630 and MANGANESE.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT5)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment