Citrix has announced the release of an update to Citrix ADC and Gateway Appliance which patches CVE-2022-27518, a critical zero-day RCE that is being actively exploited in recent threat campaigns, according to the NSA.
It’s highly recommended to apply the update ASAP. See the Resources section at the bottom of this email for links.
CVE-2022-27518 impacts Citrix ADC and Gateway appliances configured as SAML Identity Provider (IdP) or Service Provider (SP.) An unauthenticated threat actor can exploit this vulnerability to perform Arbitrary Code Execution on the device.
Impacted versions, according to the most recent Citrix advisory:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway version 13.1 is unaffected.
No action is required for Citrix-managed cloud services or Citrix-managed Adaptive Authentication customers, only for appliance owners.
To determine if the device is configured as a SAML IdP or SP, inspect
ns.conf for the following commands:
add authentication samlAction
add authentication samlIdPProfile
Please review current versions of the Citrix advisories to ensure you have updated information about the vulnerability and the threat it poses.
It is urgently recommended to update vulnerable versions, especially if configured as SAML IdP or SAML SP. No workarounds have been provided by Citrix, so applying updates is the only recourse.
Review the NSA advisory for more details about the active threat campaign utilizing CVE-2022-27518. It is extensive and includes threat hunting advice, detection signatures, YARA rules, and additional proactive steps that can be taken to stem this threat in particular.
- Citrix bulletin for CVE-2022-27518:
- Additional Documentation from Citrix:
- Citrix Updates Downloads:
- NSA Advisory:
- CISA Advisory:
- BleepingComputer Article: