On 13/12/2022, Citrix released a security advisory and patches for CVE-2022-27518, a remote code execution vulnerability which is being actively exploited. This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.
CVE-2022-27518 affects several supported versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway. Only Citrix ADC or Citrix Gateway device which are configured as a SAML SP or SAML IdP are vulnerable.
We recommend applying patches to affected devices as soon as possible. If patching is not possible, this vulnerability can be mitigated by disabling SAML authentication.
Attempts to leverage this exploit have been observed in the wild, with the majority of activity having been attributed to APT5 (UNC2630, MANGANESE).