Citrix ADC and Gateway zero day under active exploitation

The NSA said that APT5, a suspected Chinese nation-state threat group, is actively exploiting the Citrix zero-day flaw, which affects the vendor's ADC and Gateway products.

A newly disclosed critical vulnerability in two Citrix products is under active exploitation, according to a security advisory published by the vendor Tuesday.

The flaw, CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a secure remote access tool. Citrix provided very few technical details for the vulnerability, citing the need to "protect customers from exploits" in a blog released alongside Citrix's security advisory. The vendor also said the flaw was being actively exploited by threat actors.

The advisory said the zero day could let an authenticated attacker achieve remote code execution and that customers with a vulnerable version of either product with a SAML SP or IdP configuration should update immediately to the latest version released Tuesday. No workaround is currently available.

Affected versions include the following:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

"All customers using the affected builds should either update to the current 12.1 build (including FIPS and NDcPP variants) or to the current 13.0 build (13.0-88.16)," said Peter Lefkowitz, chief security and trust officer for Citrix's Cloud Software Group, in the blog post. "Customers using an affected build with a SAML SP or IdP configuration are urged to install the current build immediately. As an alternative, customers may upgrade to the 13.1 version, which is not affected."

The U.S. National Security Advisory (NSA) published an additional security advisory. While also light on details, it includes indicators of compromise and YARA signatures to help customers detect malicious activity.

Moreover, the NSA advisory attributed the exploitation activity to APT5 (also known as Manganese), an Asia-based threat actor that frequently targets telecommunication companies and is suspected of having nation-state affiliations with China.

Citrix has not responded to TechTarget Editorial's request for comment at press time.

Several vulnerabilities in Citrix ADC and Gateway products have emerged in recent years, some of which have been exploited by threat actors. For example, a directory travel flaw tracked as CVE-2019-19781 was first disclosed in December 2019. But patches for Citrix ADC and Gateway weren't released until the following month. The Cybersecurity and Infrastructure Security Agency warned in October that CVE-2019-19781 was one of several known vulnerabilities that has been exploited in attacks by state-sponsored actors connected to China.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Citrix NetScaler ADC and Gateway flaw exploited in the wild

Mandiant: Citrix zero-day actively exploited since August

Dig Deeper on Application and platform security