Thousands of Citrix ADC and Gateway deployments exposed on the Internet were determined to still be vulnerable to two critical-severity vulnerabilities that have recently been patched. Both vulnerabilities together allow threat actors to perform remote command execution on vulnerable devices without a password, effectively allowing them to take control of the systems.
The two flaws discovered to be exploitable on thousands of systems are CVE-2022-27510 and CVE-2022-27518. The first vulnerability is an authentication bypass, and the second vulnerability allows unauthenticated attackers to perform command execution. The vulnerabilities have had patches released for them since November 8th and December 13th, respectively.
Of the 28,000 Citrix servers discovered on the Internet, 3,500 were found vulnerable to CVE-2022-27518 and over 1,000 vulnerable to CVE-2022-27510. There were an additional 3,000 servers found that were vulnerable to both vulnerabilities, based on the version number of the running Citrix application. CVE-2022-27518 was seen being exploited by threat actors in the wild, outlining the criticality of the patches released by Citrix.