Citrix ADC and Gateway Zero-Day Vulnerability Exploited by Hackers Actively
Reading Time: 2 minutes

The Citrix ADC and Gateway Zero-Day vulnerability was exploited by hackers actively, according to the U.S. National Security Agency (NSA) on Tuesday named APT5 hacking group behind this campaign. 

CVE-2022-27518, is the critical remote code execution vulnerability identified that can be exploited by bad actors to execute commands remotely on vulnerable devices and seize control.

Though to successfully exploit the vulnerability it requires the Citrix ADC or Citrix Gateway appliance configured as a SAML service provider (SP) or a SAML identity provider (IdP).

Citrix ADC and Citrix Gateway versions affected by the vulnerability –

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway versions 13.1 are not vulnerable. However, there are no workarounds available “beyond disabling SAML authentication or upgrading to a current build.”

The virtualization services provider is aware of a “small number of targeted attacks in the wild” using the flaw. They recommend applying the latest patch to unmitigated systems to protect against possible future damage.

APT5, also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, has been linked to Chinese interests. Mandiant revealed last year that they have seen espionage activity targeting verticals that would align with the priorities outlined in China’s 14th Five-Year Plan.

In October 2018, cybercriminals used the CVE-2021-22893 exploit to deploy malicious web shells and siphon valuable data from enterprise networks.

The NSA has claimed that APT5 has discovered vulnerabilities in Citrix Application Delivery Controllers, making them an easy target for malicious hackers. This is especially troublesome as hackers can get through standard authentication methods.

Microsoft has alerted us to the threats that Chinese hackers pose to our information. In the past, they’ve discovered zero days and used them to their advantage before anyone else can find out about them.

Fortinet made a major vulnerability with FortiOS SSL-VPN devices (CVE-2018-3597, 9.3 CVSS score) public on Wednesday; the Citrix bug was revealed just a day later.

Updates released for code execution vulnerabilities by VMWare

VMWare disclosed two critical flaws that impact ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that could result in command injection and code execution.

  • CVE-2022-31702 (CVSS score: 9.8) – Command injection vulnerability in vRNI
  • CVE-2022-31703 (CVSS score: 7.5) – Directory traversal vulnerability in vRNI
  • CVE-2022-31705 (CVSS score: 5.9/9.3) – Heap out-of-bounds write vulnerability in EHCI controller

The company mentioned in a security bulletin for CVE-2022-31705, “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Related Articles:
LockBit Ransomware Group Breaches California’s Finance Department
Cryptomining Chaos RAT Targeting Linux Systems
Malware Strains Target Python and JavaScript Developers Through Official Repositories