adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Security Consulting
Strategy & Transformation
Security Engineering
Assessments
Threat Intelligence Exposure Management
Detection & Response
Managed SOC
Microsoft MDR Solution
Security Engineering
Incident Response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
December 14, 2022

Threat Advisory – Citrix ADC and Gateway RCE

14 December 2022 Published at 16.00

On 13/12/2022, Citrix released a security advisory and patches for CVE-2022-27518, a remote code execution vulnerability which is being actively exploited. This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.

CVE-2022-27518 affects several supported versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway. Only Citrix ADC or Citrix Gateway device which are configured as a SAML SP or SAML IdP are vulnerable.

We recommend applying patches to affected devices as soon as possible. If patching is not possible, this vulnerability can be mitigated by disabling SAML authentication.

Attempts to leverage this exploit have been observed in the wild, with the majority of activity having been attributed to APT5 (UNC2630, MANGANESE).

Vulnerability Information

CVE-2022-27518 Remote Code Execution

CVSS 3.1 – *9.8

*Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-42475 is a remote code execution vulnerability affecting the below versions of Citrix ADC and Citrix Gateway:

– Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32

– Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25

– Citrix ADC 12.1-FIPS before 21.1-55.291

– Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway version 13.1 is unaffected.

CVE-2022-42475 is only exploitable on devices configured as a SAML SP or SAML IdP. An attacker who successfully exploited this vulnerability could remotely execute arbitrary commands.

*CVSS score and vector estimated based on available information.

Mitigation/Remediation

The vulnerability in this advisory can be remediated by applying the relevant patches as defined here. If patching is not possible, the only mitigation is to disable SAML authentication.

Recommended actions

– Identify all vulnerable hosts

– Deployment of patches to a test environment or pilot group if available

– Deployment of patches to main estate

– Deployment of mitigations to hosts that cannot be patched

– Continuous monitoring of vulnerable hosts & patch compliance

If you are unsure if your organisation may be affected by this vulnerability, please contact the Adarma team on help@adarma.com and one of our experts will be in touch.

Related Posts

Explore all
Blog
Jan 2025

Tips for Selecting the Right Tools for Your Security Operations Centre

Blog
Jan 2025

The Implications of the TikTok Ban on Cybersecurity: What CISOs Should Consider

Blog
Dec 2024

5 Key Takeaways from the NCSC Annual Review 2024

Contact Us