Citrix repairs critical Gateway and ADC zero-day exploited by attackers

Citrix strongly urges administrators to update security patches for a Citrix ADC or Gateway vulnerability that could allow remote attackers to gain control over a device.

CVE-2022–27518 is the new vulnerability. It allows unauthenticated attackers to remotely execute commands on the appliance.

Citrix warns administrators to update the software as soon as they can, as this vulnerability has been used in an attack.

Citrix mentions that “we are aware of some targeted attacks in nature using this vulnerability,” in the , which is included with .

Customers who have an affected build that uses a SAML SP configuration or IdP configuration should immediately install the recommended builds. This vulnerability is critical. This vulnerability does not have a workaround. – Citrix.

This vulnerability affects the Citrix Gateway and Citrix ADC versions:

  • Citrix ADC & Citrix Gateway before 13.0-58.32
  • Citrix ADC & Citrix Gateway 12.1 Before 12.1-65.25
  • Citrix ADC 1.2.1-FIPS prior to 12.1-55.291
  • Citrix ADC 1.2.1-NDcPP Before 12.1-55.291

These versions will only be affected if appliances are set up as either a SAML SP ( SAML provider), or a SAML IDP ( SAML provider).

Administrators will be able to determine the configuration of the device by looking at the file “ns.conf”. The following commands can also be used:

add authentication samlAction

add authentication samlIdPProfile

Administrators are advised to immediately upgrade their devices in the event of any of these configuration operations.

Citrix ADC version 1.3.1 and Citrix gateway 13.1 are unaffected by CVE-2022-257518. Therefore, upgrading to them solves this security issue.

It is recommended that older versions be upgraded to the most current build ( and 13.0 branches (

Citrix AVDC FIPS, Citrix AVDC NDcPP must be upgraded to version 12.1-55.291.

Citrix cloud service users don’t need to do anything, since the vendor already took the necessary remediation steps.

System administrators are encouraged to review regarding ADC appliances, and follow the vendor’s security recommendations.

Attacks on Citrix ADC

Citrix does not have any information on the new vulnerability, but hackers used similar security vulnerabilities in past attacks to gain initial access to corporate networks and ransomware to steal data.

CVE-2019-197781, which is a remote code execution flaw, was found in Citrix ADC, Citrix Gateway, and became quickly targeted (1), (2), state-supported APTs and opportunistic hackers that utilized mitigation bypasses and many more.

Exploitation was so widespread that not to use their Citrix ADC or Citrix Gateway until security updates could be applied by admins.