"Thousands of Citrix Servers Vulnerable to Patched Critical Flaws"

Thousands of Citrix ADC and Gateway implementations are still vulnerable to two critical-severity security flaws that the vendor resolved in recent months. The first vulnerability, tracked as CVE-2022-27510, was patched on November 8. It is an authentication bypass flaw impacting both Citrix products. An attacker could use this flaw to gain unauthorized access to the device, launch a remote desktop takeover, or circumvent the login brute force security. The second flaw, tracked as CVE-2022-27518, was disclosed on December 13 and patched the same day. The exploitation of this flaw allows unauthenticated attackers to conduct Remote Command Execution (RCE) and take control of affected devices. Before Citrix released a patch for CVE-2022-27518, threat actors were already abusing the vulnerability. Although most public-facing Citrix endpoints have been updated to a secure version, NCC Group's Fox IT team reports that thousands remain exposed to attack. On November 11, Fox IT analysts scanned the web and discovered 28,000 Citrix servers online. The version number was not contained in the HTTP response from the servers. Therefore, in order to estimate how many of the exposed ones are vulnerable to the two flaws, the researchers had to learn their version number. The responses contained MD5 hash-like parameters that could be used to match them to Citrix ADC and Gateway product versions. The team downloaded and deployed all Citrix ADC versions from Citrix, Google Cloud Marketplace, Amazon Web Services (AWS), and Azure on Virtual Machines (VMs) and matched hashes to versions. More than 1,000 servers are vulnerable to CVE-2022-27510, and about 3,000 endpoints may be vulnerable to both major flaws. This article continues to discuss the vulnerability of thousands of Citrix ADC and Gateway deployments to two critical-severity security issues.

Bleeping Computer reports "Thousands of Citrix Servers Vulnerable to Patched Critical Flaws"