Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems.

The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control.

Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP).

The following supported versions of Citrix ADC and Citrix Gateway are affected by the vulnerability -

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available "beyond disabling SAML authentication or upgrading to a current build."

The virtualization services provider said it's aware of a "small number of targeted attacks in the wild" using the flaw, urging customers to apply the latest patch to unmitigated systems.

APT5, also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to operate on behalf of Chinese interests. Last year, Mandiant revealed espionage activity targeting verticals that aligned with government priorities outlined in China's 14th Five-Year Plan.

Those attacks entailed the abuse of a then-disclosed flaw in Pulse Secure VPN devices (CVE-2021-22893, CVSS score: 10.0) to deploy malicious web shells and exfiltrate valuable information from enterprise networks.

"APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments," NSA said. "Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls."

Microsoft, last month, pointed out Chinese threat actors' history of discovering and using zero days to their advantage before being picked up by other adversarial collectives in the wild.

News of the Citrix bug also comes a day after Fortinet revealed a severe vulnerability that also facilitates remote code execution in FortiOS SSL-VPN devices (CVE-2022-42475, CVSS score: 9.3).

VMWare releases updates for code execution vulnerabilities

In a related development, VMware disclosed details of two critical flaws impacting ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that could result in command injection and code execution.

• CVE-2022-31702 (CVSS score: 9.8) - Command injection vulnerability in vRNI
• CVE-2022-31703 (CVSS score: 7.5) - Directory traversal vulnerability in vRNI
• CVE-2022-31705 (CVSS score: 5.9/9.3) - Heap out-of-bounds write vulnerability in EHCI controller

"On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed," the company said in a security bulletin for CVE-2022-31705.