CVE-2022-27518: Actively Exploited Remote Code Execution Vulnerability in Citrix ADC and Citrix Gateway

Share :

On December 13th, 2022, Citrix disclosed a critical remote code execution vulnerability (CVE-2022-27518) affecting several versions of Citrix ADC and Citrix Gateway. 

Citrix strongly advises affected customers to update to a supported version as soon as possible.  

While no public proof-of-concept exploit code is available for this vulnerability, Citrix has observed several instances of targeted exploitation. This vulnerability has been exploited in several targeted attacks by APT5, a Chinese state-aligned group. In the last 15 years, APT5 has targeted telecommunications, technology, and defense companies, seeking to exfiltrate confidential information. 

Vulnerability Scope 

The vulnerability described in this bulletin only applies to Citrix ADC and Citrix Gateway instances that are configured as a SAML Service Provider or a SAML Identity Provider. 

To determine if an instance of Citrix ADC/Citrix Gateway is a SAML Provider or SAML Identity Provider: 

  1. Refer to the following Citrix Knowledgebase article describing the process of reviewing ns.conf: How to Obtain ns.conf File from NetScaler  
  2. Review the contents of ns.conf, looking for a line with “add authentication samlAction” or “add authentication samlIdPProfile”. 
  3. If one of the lines in the previous step is present in ns.conf and one of the affected versions of Citrix ADC or Citrix Gateway listed below is installed, then the appliance is vulnerable and should be upgraded as soon as possible. 

For an up-to-date version of these instructions, please refer to the security advisory from Citrix for CVE-2022-27518. 

Affected Versions: 

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32  
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25  
  • Citrix ADC 12.1-FIPS before 12.1-55.291  
  • Citrix ADC 12.1-NDcPP before 12.1-55.291  

Recommendation: Upgrade to Patched Versions of Citrix ADC or Citrix Gateway 

Affected customers are strongly recommended to download and install one of the following updated versions as soon as possible:  

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases  
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1  
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS   
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP  

Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.  

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 


Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter