cbcvebase.
CVE-2022-27511
published 2022-06-16

CVE-2022-27511: Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot…

PriorityP263high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
12.05%
95.6th percentile
Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.

Affected

7 ranges
VendorProductVersion rangeFixed in
citrixapplication_delivery_management< 13.0-85.1913.0-85.19
citrixapplication_delivery_management>= 13.1 < 13.1-21.5313.1-21.53
citrixcitrix_adm
citrixcitrix_application_delivery_management
citrixcitrix_application_delivery_management>= unspecified < 13.1-21.5313.1-21.53
citrixcitrix_application_delivery_management>= unspecified < 13.0-85.1913.0-85.19
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts targeting Citrix ADM IP access that could lead to admin password reset — monitor for unauthenticated remote access to ADM management IP, particularly followed by device reboot events
  • After exploitation and reboot, attacker connects via SSH using default administrator credentials — alert on SSH logins to Citrix ADM using default credentials, especially post-reboot
  • Prioritize detection on internet-exposed Citrix ADM instances — organizations with ADM exposed to the internet are at highest risk
  • Flag Citrix ADM builds 13.1-24.38 and below, and 13.0-84.10 and below as vulnerable during asset inventory and scanning
  • ·Citrix ADM 12.1 is end-of-life and receives no patches — these versions may be vulnerable but are unsupported; upgrade is required
  • ·Citrix ADM service (cloud-managed) customers are not affected and require no action
  • ·No proof-of-concept exploit was publicly available at time of disclosure, and the vulnerability is described as hard to exploit despite being high severity

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:C/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.