New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Thousands of Citrix Servers Vulnerable to Patched Critical Flaws

Thousands of Citrix ADC and Gateway deployments exposed on the Internet were determined to still be vulnerable to two critical-severity vulnerabilities that have recently been patched. Both vulnerabilities together allow threat actors to perform remote command execution on vulnerable devices without a password, effectively allowing them to take control of the systems.

The two flaws discovered to be exploitable on thousands of systems are CVE-2022-27510 and CVE-2022-27518. The first vulnerability is an authentication bypass, and the second vulnerability allows unauthenticated attackers to perform command execution. The vulnerabilities have had patches released for them since November 8th and December 13th, respectively.

Of the 28,000 Citrix servers discovered on the Internet, 3,500 were found vulnerable to CVE-2022-27518 and over 1,000 vulnerable to CVE-2022-27510. There were an additional 3,000 servers found that were vulnerable to both vulnerabilities, based on the version number of the running Citrix application. CVE-2022-27518 was seen being exploited by threat actors in the wild, outlining the criticality of the patches released by Citrix.

Analyst Notes

It is highly recommended to patch any Citrix devices in an organization’s environment as soon as possible if they are vulnerable to either of these vulnerabilities. Since at least one of them is known to have threat actors actively exploiting it, the sooner the devices can be patched, the less chance that a threat actor will be able to compromise it and spread throughout an organization. It is recommended that organizations update their Citrix applications to the latest versions possible, to help fix these issues and any other vulnerabilities that have been discovered since. It is also highly recommended to implement and maintain a consistent patching cycle for all devices, particularly any Internet-facing ones. Applications like Citrix are a common target for threat actors due to their popularity among enterprises. Due to this, making sure they are consistently up-to-date on patching can help prevent a threat actor from obtaining a foothold in an organization’s environment.