CVE-2022-27510: Citrix Gateway and Citrix ADC Critical Authentication Bypass Vulnerability, along with CVE-2022-27513 & CVE-2022-27516

Share :

On November 8th, 2022, Citrix disclosed a critical authentication bypass (CVE-2022-27510), a remote desktop takeover (CVE-2022-27513), and a user login brute force protection functionality bypass (CVE-2022-27516) vulnerability affecting several versions of Citrix ADC and Citrix Gateway.  

This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances as Citrix-managed cloud services are not affected.  

A threat actor could leverage these vulnerabilities in specific circumstances:  

  • CVE-2022-27510: Critical authentication bypass using an alternate path or channel which can only be exploited if the appliance is configured as a VPN (Gateway). 
  • CVE-2022-27513: Insufficient verification of data authenticity allowing remote desktop takeover through phishing attacks. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) and the RDP proxy functionality is configured. 
  • CVE-2022-27516: User login brute force protection mechanism failure allowing login bypass. This vulnerability can only be exploited if the appliance is configured as a VPN (Gateway) or AAA virtual server, and the user lockout functionality “Max Login Attempts” must be configured. 

Affected Versions: 

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47  
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12  
  • Citrix ADC and Citrix Gateway 12.1 before 
  • Citrix ADC 12.1-FIPS before 12.1-55.289  
  • Citrix ADC 12.1-NDcPP before 12.1-55.289  

Several vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog have impacted Citrix ADC and Citrix Gateway in the past. Arctic Wolf Labs strongly recommends upgrading to the patched versions on the impacted devices to prevent potential exploitation. 

Recommendation: Upgrade to Patched Versions of Citrix ADC or Citrix Gateway 

Affected customers are recommended to download and install the following updated versions as soon as possible:  

  • Citrix ADC and Citrix Gateway 13.1-33.47 and later releases  
  • Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0   
  • Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1   
  • Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS   
  • Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP  

Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.  

Please follow your organizations’ patching and testing guidelines to avoid any operational impact. 


Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter