CVE-2022-27518: Critical Fix Released for Exploited Citrix ADC, Gateway Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On Tuesday, December 13, 2022, Citrix published Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 announcing fixes for a critical unauthenticated remote code execution (RCE) vulnerability that exists in certain configurations of its Gateway and ADC products. This vulnerability has reportedly been exploited in the wild by state-sponsored threat actors.

In a blog post, Citrix states that no workarounds are available for this vulnerability and that customers running an impacted version (those with a SAML SP or IdP configuration) should update immediately.

Citrix is a high-value target for any capable attacker; earlier today, the National Security Agency (NSA) published Citrix ADC Threat Hunting Guidance warning that Citrix ADC is being targeted by state-sponsored adversaries.

Affected products

The following customer-managed product versions are affected by this vulnerability so long as the ADC or Gateway is configured as a SAML SP or a SAML IdP:

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix’s blog post also contains information on how to determine if your configuration is a SAML SP or a SAML IdP.

Mitigation guidance

No workarounds are available; impacted organizations should update to one of the following versions on an emergency basis:

• Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
• Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
• Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
• Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

Rapid7 customers

InsightVM customers can assess their exposure to CVE-2022-27518 with the December 13, 2022 content release.