Full Report
Detect and mitigate CVE-2022-27518, a Citrix ADC and Gateway unauthenticated RCE 0-day exploited in the wild by a nation state actor. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Unauthenticated Arbitrary Code Execution in Citrix ADC/Gateway (CVE-2022-27518)
## CVE Details
- CVE ID: CVE-2022-27518
- CVSS Score: Not explicitly provided, but implied High due to RCE and active exploitation.
- CWE: Not explicitly provided.
## Affected Systems
- Products: Citrix Application Delivery Controller (ADC), formerly NetScaler, and Citrix Gateway.
- Versions:
- Citrix ADC and Gateway 13.0: all versions earlier than 13.0-58.32
- Citrix ADC and Gateway 12.1: all versions earlier than 1-65.25
- Citrix ADC 12.1-FIPS: all versions earlier than 12.1-55.291
- Citrix ADC 12.1-NDcPP: all versions earlier than 12.1-55.291
- Configurations: Limited to customer-managed Citrix ADC/Gateway appliances configured with a SAML Service Provider (SP) or SAML Identity Provider (IdP) configuration (check `ns.conf` for `add authentication samlAction` or `add authentication samlIdPProfile`). Installations managed by Citrix are *not* affected.
## Vulnerability Description
This is a zero-day vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable Citrix appliance. Successful exploitation allows the attacker to bypass authentication controls and gain access to targeted organizations.
## Exploitation
- Status: Exploited in the wild (by APT5).
- Complexity: Not explicitly detailed, but RCE with unauthenticated access suggests **Low** to **Medium** complexity for successful initial access.
- Attack Vector: Network.
## Impact
- Confidentiality: High (Implied, due to access bypass).
- Integrity: High (Implied, due to arbitrary code execution).
- Availability: High (Implied, due to appliance compromise).
## Remediation
### Patches
Upgrade to the following safe versions or newer:
- Citrix ADC and Gateway 12.1: Version **12.1-65.25** or later.
- Citrix ADC and Gateway 13.0: Version **13.0-88.16** or later.
- Citrix ADC and Gateway 13.1: Any build (This branch is unaffected).
### Workarounds
If patching is not immediately feasible, customers should **disable SAML authentication** on affected appliances, if possible. No action is required for customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication.
## Detection
- Indicators of Compromise: Refer to the NSA guidance document for specific IOCs related to APT5 activity.
- Detection Methods and Tools:
- The NSA has published [CSA-APT5-CITRIXADC-V1.PDF] in their guidance for threat hunting.
- Wiz customers can use the pre-built query and advisory in the Wiz Threat Center.
## References
- Vendor advisory: support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
- Vendor blog: citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
- Threat Hunting Guidance: media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF