Threat Watch

Hackers Exploit Critical Citrix ADC and Gateway Zero-day

According to Citrix, an actively exploited zero-day in their Citrix ADC and Gateway is being exploited by nation-state threat actors. The vulnerability, CVE-2022-27518, allows unauthenticated attackers to execute commands remotely on vulnerable devices and take control of them. The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

The above versions are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider). Admins can determine how the device is configured by inspecting the “ns.conf” file for the commands “add authentication samlAction” and “add authentication samlIDPProfile.” If these configurations are found, patches need to be applied as soon as possible.


Citrix has already released patches for all of the affected devices and warns that they should be updated immediately. Anyone running an older version than listed above should also update to the latest version, which will protect them from this vulnerability and potentially other vulnerabilities. According to the NSA, this vulnerability is under active exploitation by APT5, a Chinese threat actor that is known for utilizing zero-days int their attacks. Although this is the only known group to be exploiting the vulnerability, we will likely see other groups begin to carry out attacks this way now that the vulnerability has been disclosed.