Citrix ADC and Gateway Zero-Day Under Active Exploitation: What You Need to Know

The U.S. National Security Agency (NSA) released an advisory regarding the exploitation of a zero-day vulnerability affecting Citrix ADC (Application Delivery Controller) and Citrix Gateway products.

Tell me more about this vulnerability

NSA attributed the activity to the Chinese state-sponsored threat activity group APT5, also known as UNC2630 and MANGANESE.

Citrix released a separate advisory regarding updates to patch the vulnerability, which is tracked as CVE-2022-27518. The vulnerability affects the following Citrix ADC and Citrix Gateway versions:

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are affected only if the devices are configured with an SAML (Security Assertion Markup Language) service provider (SP) or identity provider (IdP) configuration.

Citrix ADC and Citrix Gateway version 13.1 are not affected by vulnerability.

What is Nuspire doing?

Nuspire is not affected by this vulnerability.

What should I do?

NSA and Citrix recommend the following steps to mitigate the activity:

• Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to accessing the ADC.
• Ensure that your Citrix ADC appliances are running a current version with the latest updates.
• Organizations using the affected builds should either update to the current 12.1 build (including FIPS and NDcPP variants) or to the current 13.0 build (13.0-88.16). Organizations using an affected build with a SAML SP or IdP configuration should install the current build immediately. As an alternative, organizations may upgrade to the 13.1 version, which is not affected.
• Organizations using Citrix ADC or Citrix Gateway instances on an SDX platform will need to upgrade VPX instances (the underlying SDX platform itself is not affected). Likewise, Citrix ADC configurations that do not use SAML authentication (e.g., traditional load balancing configurations) and related products such as Citrix Application Delivery Management (ADM) and Citrix SD-WAN are not affected.