According to experts, Citrix has not patched many of the critical vulnerabilities that have been discovered in the company’s Application Delivery Controller (ADC) and Gateway servers.

Citrix found and fixed a vulnerability called “Unauthorized access to Gateway user capabilities,” which is now known as CVE-2022-27510. Both products are vulnerable to this issue, which allows an attacker to remotely take control of compromised devices, change settings without authorization, and disable the device’s brute force login protection.

About a month later, in the middle of December, the company patched a vulnerability known as “Unauthenticated remote arbitrary code execution,” which is now referenced by the bug tracker ID CVE-2022-27518. By using it, attackers can remotely instal malware on the compromised device.

Forewarning from the NSA

Researchers from NCC Group’s Fox IT team claim that both vulnerabilities have a severity rating of 9.8/10 and at least one has been exploited in the wild as a zero-day.

This latter vulnerability is a zero-day security flaw, and the US National Security Agency (NSA) issued a warning about it in early December, claiming that a hacking collective supported by the Chinese government was actively exploiting it.

Previously, Citrix’s chief security and trust officer Peter Lefkowitz claimed in a company blog post that “limited exploits of this vulnerability have been reported,” without providing any further details on the number of attacks or the affected industries.

This threat actor group, sometimes referred to as Manganese, appears to have deliberately targeted networks using these Citrix applications in order to bypass organization-level security without resorting to credential theft via social engineering or phishing.

While most endpoints have been patched since the fixes were made public, the researchers have noted that there are still “thousands” of vulnerable servers. On November 11th, 2022, it was discovered that at least 28,000 Citrix servers were vulnerable to attack.

We hope this blog helps bring more attention to these two Citrix CVEs and that our work on identifying versions helps inform future research.