zero-day vulnerability affects Citrix products (December 16, 2022)

Ref# AL2022_88Critical | Date: Dec 16th 2022


A critical zero-day vulnerability was spotted in Citrix Application Delivery Controller (ADC) and Gateway that is being actively exploited by state-sponsored hackers. 


Citrix released a security update on December 13 to address a critical vulnerability in its Citrix ADC and Gateway products. The vulnerability was recorded by MITRE as CVE-2022-27518 and allows an unauthenticated attacker to execute commands remotely on the affected systems. The affected versions of the product are as follows: 

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 

  • Citrix ADC andCitrixGateway12.1before12.1-65.25 

  • Citrix ADC 12.1-FIPS before 12.1-55.291 

  • Citrix ADC 12.1-NDcPP before 12.1-55.291 

Citrix ADC and Citrix Gateway version 13.1 are unaffected by this vulnerability. A pre-condition for this vulnerability states that the Citrix ADC and Gateway must be configured in a certain Security Assertion Markup Language (SAML). Moreover, these products are vulnerable when configured as a SAML Service Provider (SP) or a SAML Identity Provider (IdP). 

While Citrix did not disclose too much information on the incident, the National Security Agency (NSA) shared that a state-sponsored APT group called APT5 (aka UNC2630 and MANGANESE) are responsible and actively exploits this vulnerability in attacks. APT5 is believed to be a Chinese state-sponsored hacking group that is notorious for utilizing zero-day vulnerabilities in VPN devices to gain unauthorized remote access and steal data. 


If your Citrix ADC and Gateway applications are the affected versions mentioned above, Citrix recommends updating these applications to the latest versions as soon as possible. The URLs below will guide to the updated installers: 

Additionally, to confirm which SAML the applications are currently using, the ns.conf file can be inspected for the following line: 

  • add authentication samlAction – SAML SP configuration 

  • add authentication samlIdPProfile – SAML IdP configuration 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: Critical zero-day vulnerability affects Citrix.pdf