"State-Sponsored Attackers Actively Exploiting RCE in Citrix Devices, Patch ASAP! (CVE-2022-27518)"
The National Security Agency (NSA) has warned that a Chinese state-sponsored group is exploiting an unauthenticated Remote Code Execution (RCE) flaw, tracked as CVE-2022-27518, to compromise Citrix Application Delivery Controller (ADC) deployments. Compromising Citrix ADCs can facilitate illegitimate access to targeted organizations through the circumvention of normal authentication controls. The flaw results from vulnerable devices' software failing to maintain control over a resource throughout its creation, use, and release, thus allowing remote attackers to execute arbitrary code on vulnerable appliances without prior authentication. The zero-day vulnerability impacts both Citrix ADC and Citrix Gateway. Citrix ADC is typically used to provide load-balanced, secure remote access to Citrix Virtual Apps and Desktops applications. Citrix Gateway is a secure remote access solution that includes identity and access management capabilities as well as Single Sign-On (SSO) for various hosted applications. The NSA has published threat-hunting guidance for organizations to determine whether their Citrix ADC environments have been compromised. The agency has linked the attacks to APT5, also known as UNC2630 and MANGANESE. APT5 has been targeting and breaching organizations in a variety of industries, particularly telecommunications and technology firms, for over a decade. Previously, the group was known to exploit vulnerabilities in Virtual Private Network (VPN) products from Fortinet, Palo Alto Networks, and Pulse Secure. This article continues to discuss the discovery and exploitation of the RCE vulnerability impacting Citrix ADC and Citrix Gateway appliances.