- 300/2022
- Critical
Citrix has released security updates to fix a critical zero-day vulnerability in Citrix ADC and Citrix Gateway.
The severity of the addressed vulnerability could allow the remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests to gain access to the affected products.
Citrix ADC and Gateway code execution (CVE-2022-27518):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
The affected versions of Citrix ADC and Citrix Gateway:
• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
• Citrix ADC 12.1-FIPS before 12.1-55.291
• Citrix ADC 12.1-NDcPP before 12.1-55.291
It should be highlighted that Citrix is aware that this vulnerability was exploited in the wild by state-sponsored attackers.
Vulnerabilities
- CVE-2022-27518
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.