14 December 2022 Published at 16.00
On 13/12/2022, Citrix released a security advisory and patches for CVE-2022-27518, a remote code execution vulnerability which is being actively exploited. This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.
CVE-2022-27518 affects several supported versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway. Only Citrix ADC or Citrix Gateway device which are configured as a SAML SP or SAML IdP are vulnerable.
We recommend applying patches to affected devices as soon as possible. If patching is not possible, this vulnerability can be mitigated by disabling SAML authentication.
Attempts to leverage this exploit have been observed in the wild, with the majority of activity having been attributed to APT5 (UNC2630, MANGANESE).
CVE-2022-27518 Remote Code Execution
CVSS 3.1 – *9.8
CVE-2022-42475 is a remote code execution vulnerability affecting the below versions of Citrix ADC and Citrix Gateway:
– Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
– Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
– Citrix ADC 12.1-FIPS before 21.1-55.291
– Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway version 13.1 is unaffected.
CVE-2022-42475 is only exploitable on devices configured as a SAML SP or SAML IdP. An attacker who successfully exploited this vulnerability could remotely execute arbitrary commands.
*CVSS score and vector estimated based on available information.
The vulnerability in this advisory can be remediated by applying the relevant patches as defined here. If patching is not possible, the only mitigation is to disable SAML authentication.
– Identify all vulnerable hosts
– Deployment of patches to a test environment or pilot group if available
– Deployment of patches to main estate
– Deployment of mitigations to hosts that cannot be patched
– Continuous monitoring of vulnerable hosts & patch compliance
If you are unsure if your organisation may be affected by this vulnerability, please contact the Adarma team on email@example.com and one of our experts will be in touch.