Software company Citrix is warning organizations of an actively attacked zero-day vulnerability in Citrix ADC and Citrix Gateway that could allow an attacker to take over vulnerable systems remotely. Organizations are called upon to immediately install the security updates that have been made available.
Citrix ADC is a server that organizations place between their servers and the Internet. Its primary function is to distribute incoming traffic over the available servers, so that websites and applications remain accessible quickly and easily. The more luxurious versions also offer protection against DOS attacks and a web application firewall. Via the Citrix Gateway, employees of companies can access corporate applications, corporate environments and intranets remotely. It is therefore often used for working from home.
While the Citrix ADC is a separate device, the Gateway is a software solution that organizations must install on a server. The vulnerability that Citrix is now warning of, designated CVE-2022-27518, could allow an unauthenticated remote attacker to execute arbitrary code on the system. The only requirement is that the Citrix ADC or Citrix Gateway is configured as a SAML Service Provider or a SAML identity provider.
Citrix states that attackers are already exploiting the vulnerability. Due to the impact of a compromised system, allowing further attacks, Citrix recommends installing the released security updates as soon as possible. In addition, the US secret service NSA has published a document with advice to recognize already compromised Citrix installations. The zero-day attacks were carried out by an espionage group referred to as APT5, according to the NSA.