article featured image


Citrix urgently advises administrators to install security updates for Citrix ADC and Gateway due to a “Critical” zero-day vulnerability (CVE-2022-27518) that is being actively exploited by state-sponsored hackers to access business networks.

The vulnerability allows unauthorized threat actors to execute commands remotely and take over vulnerable devices.

Being actively exploited in attacks, Citrix is warning security admins to install the latest update “as soon as possible”.

Which Citrix Versions are Affected?

The Citrix ADC and Citrix Gateway Versions affected by the vulnerability are:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

However, the versions mentioned above are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider)

By checking the “ns.conf” file for two commands (“add authentication samlAction”, “add authentication samlIdPProfile”), administrators can determine how the device is configured.

Version 13.1 of Citrix ADC and Citrix Gateway is not impacted by CVE-2022-27518, hence updating to it resolves the security issue.

It is advised that users of earlier builds update to the most recent 12.0 ( or 13.0 branch builds ( Citrix ADC FIPS and Citrix ADC NDcPP should also be upgraded to versions 12.1-55.291 or later.

Users of Citrix-managed cloud services don’t need to do anything because the provider has already taken the necessary corrective action. Additionally, Citrix’s “best practices” for ADC appliances should be consulted by system administrators, and they should follow the vendor’s security guidelines.

Hackers Exploiting the Vulnerability

Citrix has not shared any details on how the vulnerability is abused by threat actors so far, but NSA shared that the state-sponsored APT5 hackers (aka UNC2630 and MANGANESE) have started exploiting the vulnerability in their attacks.

In a coordinated disclosure, the NSA published an “APT5: Citrix ADC Threat Hunting Guidance” including advice on securing Citrix ADC and Gateway devices as well as information on determining whether a device has been exploited.

As such, NSA, in collaboration with partners, has developed this threat-hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments.


According to BleepingComputer, APT5, an advanced persistent threat group, is believed to be a Chinese state-sponsored hacking group, notorious for exploiting zero-days in VPN devices to gain access and steal sensitive data.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.


Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *