CVE-2022-27518: Critical 0-day vulnerability in Citrix ADC and Gateway

CVE-2022-27518

Citrix has started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month.

Tracked as CVE-2022-27518, is an improper control of a resource through its lifetime issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products.

CVE-2022-27518

The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

The company said it’s “aware of a small number of targeted attacks in the wild using this vulnerability.

CVE-2022-27518 affects Citrix ADC and Citrix Gateway only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider) by inspecting the ns.conf file for the following commands:

  • add authentication samlAction
  • add authentication samlIdPProfile

As part of its first batch of updates, Citrix today released permanent patches for Citrix ADC and Citrix Gateway 12.0 (12.1.65.25) or 13.0 branch (13.0.88.16). Citrix ADC FIPS and Citrix ADC NDcPP should upgrade to versions 12.1-55.291 or later.

Customers using an affected build are urged to install the recommended updates immediately as this vulnerability has been identified as critical (CTX474995). We are aware of a small number of targeted attacks in the wild using this vulnerability,” Citrix warns.