Chinese APT Actor Activity Exploiting Critical Flaw in Citrix ADC and Citrix Gateway

U.S. federal authorities are urging Citrix ADC and Citrix Gateway users to patch an unauthenticated remote code execution vulnerability that is being actively exploited by Chinese state-sponsored hackers.

The vulnerability – tracked as CVE-2022-27518 – is a critical Citrix Application Delivery Controller (ADC) and Gateway Authentication bypass vulnerability with a CVSS v3 base score of 9.8 out of 10. An unauthenticated attacker can remotely exploit the flaw and execute commands and completely compromise the system. These networking appliances are used by organizations in several industry sectors, including healthcare. Healthcare providers use these appliances to ensure the constant availability of clinical applications and electronic health records and for remote access.

Mandiant reports that a Chinese advanced persistent threat actor it tracks as APT5 (aka UNC2630 and Manganese) has been observed exploiting the vulnerability. APT5 has been in operation since at least 2007 and is a highly capable threat actor and most commonly targets companies in the telecommunications and technology sectors. The Health Sector Cybersecurity Coordination Center (HC3) says it is aware of U.S. healthcare organizations that have been compromised by exploiting the vulnerability, although the threat actor behind these attacks has not been identified. HC3 urges all healthcare organizations to review their inventories to check whether they are using these vulnerable systems and to prioritize patching the vulnerability.

Citrix has released a patch to fix the vulnerability, which affects the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway 13.0 prior to version 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 prior to version 12.1-65.25
  • Citrix ADC 12.1-FIPS prior to version 12.1-55.291
  • Citrix ADC 12.1-NDcPP prior to version 12.1-55.291

The vulnerability affects Citrix ADC and Citrix Gateway when they are configured as a Security Assertion Markup Language service provider (SAML SP) or identity provider (SAML IdP). Organizations that use Citrix ADC and Citrix Gateway can determine if they are set up as a SAML SP or SAML IdP by checking the ns.conf file for the following commands:

  • “add authentication samlAction”
  • “add authentication samlIdPProfile”

If either of these commands is present in the ns.conf file, the system in question is most likely vulnerable. In addition to patching the vulnerability organizations should investigate to determine if the vulnerability has already been exploited. If a compromise is detected, all Citrix instances should be moved behind a Virtual Private Network (VPN) or other measures should be implemented that require authorization, and multifactor authentication should be implemented. Citrix ADC appliances that are located in environments where malicious activity is detected should be isolated and restored to the last known good state.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of