cbcvebase.
CVE-2022-27518
published 2022-12-13

CVE-2022-27518: Unauthenticated remote arbitrary code execution Unauthenticated remote arbitrary code execution

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
6.93%
93.3th percentile
Unauthenticated remote arbitrary code execution Unauthenticated remote arbitrary code execution

Affected

3 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adc
citrixcitrix_gateway
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • Check ns.conf for SAML configuration directives ('add authentication samlAction' or 'add authentication samlIdPProfile') to identify appliances configured as SAML SP or IdP and therefore in scope for exploitation
  • Use the NSA-published APT5: Citrix ADC Threat Hunting Guidance to detect indicators of exploitation; note that artifacts discussed may vary based on the stage of compromise
  • Threat actor APT5 (also known as UNC2630 and MANGANESE) is actively exploiting this vulnerability against telecommunications and technology companies; prioritize hunting on Citrix ADC appliances in those sectors
  • Only customer-managed Citrix ADC and Citrix Gateway appliances configured as a SAML SP (service provider) or SAML IdP (identity provider) are exploitable; scope detection and hunting to those configurations
  • ·Citrix ADC and Citrix Gateway version 13.1 is NOT affected by this vulnerability
  • ·Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take action; the vulnerability only affects customer-managed appliances
  • ·The vulnerability is only exploitable when the appliance is configured as a SAML SP or SAML IdP; appliances not using SAML are not at risk
  • ·No workarounds are available for this vulnerability; patching is the only remediation (disabling SAML authentication is noted as an alternative workaround by Wiz only if patching is not immediately possible)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv59.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.