Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us:

Mobile Hacker For Hire, hire a hacker, hiring a hacker, hacker with proof

Hackers exploit critical Citrix ADC and Gateway zero day, patch now

Table of Contents


Citrix strongly urges admins to apply security updates for an ‘Critical’ zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited by state-sponsored hackers to gain access to corporate networks.

This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.

Citrix is warning admins to install the latest update “as soon as possible” as the vulnerability is actively exploited in attacks.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” mentions Citrix in the security update accompanying the advisory.

“Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.” – Citrix.

The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider).

Administrators can determine how the device is configured by inspecting the “ns.conf” file for the following two commands:

add authentication samlAction
add authentication samlIdPProfile

Admins should immediately update their devices if the above configuration operations are found.

Citrix ADC and Citrix Gateway version 13.1 are not affected by CVE-2022-27518, so upgrading to it solves the security problem.

Those using older versions are recommended to upgrade to the latest available build for the 12.0 ( or 13.0 branch (

Also, Citrix ADC FIPS and Citrix ADC NDcPP should upgrade to versions 12.1-55.291 or later.

Those using Citrix-managed cloud services don’t have to take any action, as the vendor has already taken the appropriate remediation steps.

Additionally, system admins are urged to consult Citrix’s “best practices” for ADC appliances and implement the vendor’s security recommendations.

Exploited by state-sponsored hackers

While Citrix has not shared any details on how this new bug is being abused, the NSA has shared that the state-sponsored APT5 hackers (aka UNC2630 and MANGANESE) are actively exploiting the vulnerability in attacks.

“Active exploitation Citrix devices underway by APT5. @NSACyber threat hunting guidance linked below to identify and remediate this activity,” tooted NSA cybersecurity director Rob Joyce.

In a coordinated disclosure, the NSA has released an “APT5: Citrix ADC Threat Hunting Guidance” advisory with information on detecting if a device has been exploited and tips on securing Citrix ADC and Gateway devices.

“APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments (“Citrix ADCs”). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” reads the NSA advisory released today.

“As such, NSA, in collaboration with partners, has developed this threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments” – National Security Agency

APT5 is believed to be a Chinese state-sponsored hacking group known to utilize zero-days in VPN devices to gain initial access and steal sensitive data.

In 2021, APT5 utilized a zero-day in Pulse Secure VPN devices to breach US Defense Industrial base (DIB) networks.

While APT5 is currently the only known threat actor abusing the vulnerability, now that it is disclosed, we will likely see other groups begin to utilize it shortly.

Hackers leveraged similar security issues in the past in attacks that led to initial access to corporate networks, ransomware, and data theft.

In 2019, a remote code execution flaw tracked as CVE-2019-19781 was discovered in Citrix ADC and Citrix Gateway and quickly became targeted by ransomware operations (12), state-supported APTs, opportunistic attackers that used mitigation bypasses, and more.

Exploitation became so widely abused that the Dutch government advised companies to turn off their Citrix ADC and Citrix Gateway devices until admins could apply security updates.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!