CVE-2022-27518
published 2022-12-13CVE-2022-27518: Unauthenticated remote arbitrary code execution Unauthenticated remote arbitrary code execution
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
6.93%
93.3th percentile
Unauthenticated remote arbitrary code execution
Unauthenticated remote arbitrary code execution
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adc | — | — |
| citrix | citrix_gateway | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check ns.conf for SAML configuration directives ('add authentication samlAction' or 'add authentication samlIdPProfile') to identify appliances configured as SAML SP or IdP and therefore in scope for exploitation ↗
- →Use the NSA-published APT5: Citrix ADC Threat Hunting Guidance to detect indicators of exploitation; note that artifacts discussed may vary based on the stage of compromise ↗
- →Threat actor APT5 (also known as UNC2630 and MANGANESE) is actively exploiting this vulnerability against telecommunications and technology companies; prioritize hunting on Citrix ADC appliances in those sectors ↗
- →Only customer-managed Citrix ADC and Citrix Gateway appliances configured as a SAML SP (service provider) or SAML IdP (identity provider) are exploitable; scope detection and hunting to those configurations ↗
- ·Citrix ADC and Citrix Gateway version 13.1 is NOT affected by this vulnerability ↗
- ·Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take action; the vulnerability only affects customer-managed appliances ↗
- ·The vulnerability is only exploitable when the appliance is configured as a SAML SP or SAML IdP; appliances not using SAML are not at risk ↗
- ·No workarounds are available for this vulnerability; patching is the only remediation (disabling SAML authentication is noted as an alternative workaround by Wiz only if patching is not immediately possible) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv59.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
Unauthenticated remote arbitrary code execution
cvelistv5·2022-12-13·CVSS 9.8
CVE-2022-27518 [CRITICAL] CWE-664 Unauthenticated remote arbitrary code execution
Unauthenticated remote arbitrary code execution
Unauthenticated remote arbitrary code execution
VulnCheck
Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-27518 [CRITICAL] CWE-664 Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as administrator.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-should-prioritize/; https:/
CISA
Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
cisa·2022-12-13·CVSS 9.8
CVE-2022-27518 [CRITICAL] CWE-664 Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
Vulnerability: Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
Affected: Citrix Application Delivery Controller (ADC) and Gateway
Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as administrator.
Required Action: Apply updates per vendor instructions.
Notes: https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/; https://nvd.nist.gov/vuln/detail/CVE-2022-27518
Remediation Due Date: 2023-01-03
Citrix
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
vendor_citrix·2022-12-13·CVSS 9.8
CVE-2022-27518 [CRITICAL] CWE-664 Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
CWE
CVE References: CVE-2022-27518
Affected Products: Citrix ADC, Citrix Gateway, XenServer
Severity: Critical
No detection rules found.
No public exploits indexed.
Tenable
CVE-2025-7775 Citrix RCE Zero-day
blogs_tenable·2025-08-26·CVSS 9.2
[CRITICAL] CVE-2025-7775 Citrix RCE Zero-day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
State hackers turn to massive ORB proxy networks to evade detection
blogs_bleepingcomputer·2024-05-22·CVSS 9.8
[CRITICAL] State hackers turn to massive ORB proxy networks to evade detection
## State hackers turn to massive ORB proxy networks to evade detection
## Ionut Ilascu
Security researchers are warning that China-linked state-backed hackers are increasingly relying on a vast proxy server network created from virtual private servers and compromised online devices for cyberespionage operations.
Called operational relay box (ORBs) networks, these proxy meshes are administered by independent cybercriminals that provide access to multiple state-sponsored actors (APTs).
ORBs are similar to botnets but they may be a hybrid of commercially leased VPS services and compromised devices, including end-of-life routers and other IoT products.
The growing use of ORBs by adversaries comes with challenges in both detection and attribution as the attack infrastructure is no longer c
Tenable
CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
blogs_tenable·2023-10-18·CVSS 9.4
[CRITICAL] CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
blogs_tenable·2023-07-18·CVSS 9.8
[CRITICAL] CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Qualys Threat Research Unit: Threat Thursdays, December 2022
blogs_qualys·2022-12-29
Qualys Threat Research Unit: Threat Thursdays, December 2022
## Table of Contents
From the Qualys Blogs
New Tools & Techniques
New Vulnerabilities
Threat Thursdays Webinar
Welcome to the fourth edition of the Qualys Threat Research Unit’s (TRU) “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. This also happens to be the last edition for the year. Feedback on our third edition, Qualys Threat Research Thursday , is more than welcome. We would love to hear from you!
## From the Qualys Blogs
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
Dissecting the Empire C2 Framework – In this blog post, we take a quick dive into Empire, a popular open-source post-exploitation fra
Qualys
Qualys Threat Research Unit: Threat Thursdays, December 2022 | Qualys
blogs_qualys·2022-12-29
Qualys Threat Research Unit: Threat Thursdays, December 2022 | Qualys
#### Table of Contents
- From the Qualys Blogs
- New Tools & Techniques
- New Vulnerabilities
- Threat Thursdays Webinar
Welcome to the fourth edition of the Qualys Threat Research Unit’s (TRU) “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. This also happens to be the last edition for the year. Feedback on our third edition, Qualys Threat Research Thursday, is more than welcome. We would love to hear from you!
## From the Qualys Blogs
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- Dissecting the Empire C2 Framework – In this blog post, we take a quick dive into Empire, a popular open-source post-exploita
Sentinelone
CVE-2022-27518: Citrix ADC and Citrix Gateway Vulnerability
blogs_sentinelone·2022-12-22·CVSS 9.8
CVE-2022-27518 [CRITICAL] CVE-2022-27518: Citrix ADC and Citrix Gateway Vulnerability
A critical vulnerability has been patched in the products of Citrix. This vulnerability was reportedly exploited as a zero-day attack, and organizations should immediately fix this issue.
## About the vulnerability
On December 13, 2022, the company released a security advisory and blog for CVE-2022-27518 to address a critical RCE vulnerability in specific versions of its products, such as the Citrix ADC and Citrix Gateway versions. The blog post and advisory noted that the vulnerability had been observed in the wild, and organizations should immediately patch it.
As per the blog post, the company stated that there are no available workarounds for this vulnerability. Therefore, all customers with an impacted version (SAML SP or IDP configuration) should update immediately.
If you are a
Sentinelone
CVE-2022-27518: Citrix ADC and Citrix Gateway Vulnerability
blogs_sentinelone·2022-12-22·CVSS 9.8
CVE-2022-27518 [CRITICAL] CVE-2022-27518: Citrix ADC and Citrix Gateway Vulnerability
A critical vulnerability has been patched in the products of Citrix. This vulnerability was reportedly exploited as a zero-day attack, and organizations should immediately fix this issue.
## About the vulnerability
On December 13, 2022, the company released a security advisory and blog for CVE-2022-27518 to address a critical RCE vulnerability in specific versions of its products, such as the Citrix ADC and Citrix Gateway versions. The blog post and advisory noted that the vulnerability had been observed in the wild, and organizations should immediately patch it.
As per the blog post , the company stated that there are no available workarounds for this vulnerability. Therefore, all customers with an impacted version (SAML SP or IDP configuration) should update immediately.
If you are a
Tenable
Cybersecurity Snapshot: Phishing Scams, Salary Trends, Metaverse Risks, Log4J Poll
blogs_tenable·2022-12-16
Cybersecurity Snapshot: Phishing Scams, Salary Trends, Metaverse Risks, Log4J Poll
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2022-27518: Unauthenticated RCE in Citrix ADC and Gateway
blogs_tenable·2022-12-13·CVSS 9.8
[CRITICAL] CVE-2022-27518: Unauthenticated RCE in Citrix ADC and Gateway
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2022-27518 exploited in the wild by APT5: everything you need to know | Wiz Blog
blogs_wiz·2022-12-13·CVSS 9.8
CVE-2022-27518 [CRITICAL] CVE-2022-27518 exploited in the wild by APT5: everything you need to know | Wiz Blog
On December 13, 2022, the National Security Agency (NSA) released an advisory warning of exploitation in-the-wild of Citrix products by APT5, a threat actor attributed to China. The impacted product is Citrix Application Delivery Controller (ADC), formerly known as NetScaler, which provides orchestration and automation for applications across cloud or hybrid environments. Deployments exist for AWS , Azure , GCP, and more. The vulnerability is detected by Wiz.
## What is CVE-2022-27518?
According to Citrix, this vulnerability allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. By targeting vulnerable instances of Citrix ADC, attackers can exploit this vulnerability to bypass authentication controls and obtain access to targeted organizations.
B
Wiz
CVE-2022-27518 exploited in the wild by APT5: everything you need to know | Wiz Blog
blogs_wiz·2022-12-13·CVSS 9.8
CVE-2022-27518 [CRITICAL] CVE-2022-27518 exploited in the wild by APT5: everything you need to know | Wiz Blog
On December 13, 2022, the National Security Agency (NSA) released an advisory warning of exploitation in-the-wild of Citrix products by APT5, a threat actor attributed to China. The impacted product is Citrix Application Delivery Controller (ADC), formerly known as NetScaler, which provides orchestration and automation for applications across cloud or hybrid environments. Deployments exist for AWS, Azure, GCP, and more. The vulnerability is detected by Wiz.
## What is CVE-2022-27518?
According to Citrix, this vulnerability allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. By targeting vulnerable instances of Citrix ADC, attackers can exploit this vulnerability to bypass authentication controls and obtain access to targeted organizations.
Bas
Sentinelone
SentinelOne Integrates With Amazon Security Lake to Power Cloud Investigations
blogs_sentinelone·2022-11-30
SentinelOne Integrates With Amazon Security Lake to Power Cloud Investigations
SentinelOne is pleased to announce an integration with Amazon Security Lake , a new Amazon Web Services (AWS) security service that enables organizations to aggregate, store, normalize, and analyze security logs from integrated cloud and on-premises data sources and their private applications at scale. SentinelOne ingests these logs into the Singularity™ XDR Platform for threat hunting, forensics, and to help investigate and establish root cause of security alerts from Singularity Cloud Workload Security .
Amazon Security Lake stores and exports logs using the Open Cybersecurity Schema Framework (OCSF) . With support for the OCSF standard, Amazon Security Lake reduces the complexity and costs for customers to make their security solutions’ data more readily accessible, to address a wide v
2022-12-13
Published
2022-12-13
Added to CISA KEV
Exploited in the wild