On Tuesday, June 14, 2022, Citrix released patches for multiple vulnerabilities, including CVE-2022-27511, an unauthenticated remote privilege escalation vulnerability affecting Citrix Application Delivery Management (ADM). The vulnerability allows an unauthenticated user to remotely corrupt an affected system to reset the administrator password at the next device reboot.
Successful exploitation allows a threat actor to gain initial access using the default credentials via SSH after a device reboot.
We have not observed a proof-of-concept (PoC) exploit published for this vulnerability; however, we assess threat actors will focus their research efforts on developing a working exploit in order to gain initial access to critical environments leveraging vulnerable versions of Citrix ADM in the near-term.
Impacted Products
Product |
Affected Versions |
Fixed Versions |
Citrix Application Delivery Management (ADM) |
|
|
Recommendations
Recommendation #1: Apply the Available Updates or Upgrade to a Fixed Version of Citrix ADM
Our primary recommendation is to apply the patch provided by Citrix for this vulnerability as soon as possible against all affected systems.
Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.
Patch information for the affected systems can be found here.