By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Critical Citrix ADC and Gateway Zero-Day Actively Exploited

Citrix has announced the release of an update to Citrix ADC and Gateway Appliance which patches CVE-2022-27518, a critical zero-day RCE that is being actively exploited in recent threat campaigns, according to the NSA.

It’s highly recommended to apply the update ASAP. See the Resources section at the bottom of this email for links.

Vulnerability Details

CVE-2022-27518 impacts Citrix ADC and Gateway appliances configured as SAML Identity Provider (IdP) or Service Provider (SP.) An unauthenticated threat actor can exploit this vulnerability to perform Arbitrary Code Execution on the device.

Affected Versions

Impacted versions, according to the most recent Citrix advisory:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
  • Citrix ADC 12.1-FIPS before 12.1-55.291 
  • Citrix ADC 12.1-NDcPP before 12.1-55.291 

Citrix ADC and Citrix Gateway version 13.1 is unaffected. 

No action is required for Citrix-managed cloud services or Citrix-managed Adaptive Authentication customers, only for appliance owners.

To determine if the device is configured as a SAML IdP or SP, inspect ns.conf for the following commands:

add authentication samlAction
add authentication samlIdPProfile


Please review current versions of the Citrix advisories to ensure you have updated information about the vulnerability and the threat it poses.

It is urgently recommended to update vulnerable versions, especially if configured as SAML IdP or SAML SP. No workarounds have been provided by Citrix, so applying updates is the only recourse.

Review the NSA advisory for more details about the active threat campaign utilizing CVE-2022-27518. It is extensive and includes threat hunting advice, detection signatures, YARA rules, and additional proactive steps that can be taken to stem this threat in particular.


  1. Citrix bulletin for CVE-2022-27518:
  2. Additional Documentation from Citrix:
  3. Citrix Updates Downloads:
  4. NSA Advisory:
  5. CISA Advisory:
  6. MITRE:
  7. BleepingComputer Article:
Previous Post

Weekly Top Ten Cybersecurity Stories – 12.9.2022

Next Post

A Threat Hunter’s Breakdown Of Magniber Ransomware

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.