Security News > 2022 > December > State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518)

An unauthenticated remote code execution flaw is being leveraged by a Chinese state-sponsored group to compromise Citrix Application Delivery Controller deployments, the US National Security Agency has warned.

"Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls."

The zero-day flaw affects both Citrix ADC, which is usually leveraged for load balanced, secure remote access to Citrix Virtual Apps and Desktops applications, and Citrix Gateway, a secure remote access solution with identity and access management capabilities, which also provides single sign-on for variously hosted applications.

Citrix's security bulletin lists the affected supported and unsupported versions, and notes that only customer-managed Citrix ADC and Citrix Gateway appliances require a swift update.

The company also lists a pre-condition for exploitation: only Citrix ADCs and Citrix Gateways that are configured as a SAML SP or a SAML IdP are at risk, and should be upgraded post-haste.

The NSA has published threat hunting guidance to help organizations investigate whether their Citrix ADC environments have been compromised, and have attributed observed attacks to APT5.

News URL

https://www.helpnetsecurity.com/2022/12/13/cve-2022-27518-exploited/