Dive Brief:
- Federal cyber authorities on Tuesday urged organizations to patch a critical vulnerability in Citrix ADC (application delivery controller) and Citrix Gateway.
- The remote code execution vulnerability, CVE-2022-27518, is being actively exploited in the wild, Citrix said in a security update. It has a CVSS score of 9.8.
- The National Security Agency issued a cybersecurity advisory on Tuesday attributing the vulnerability exploits to APT5. The threat actor has suspected ties to China and has been active since at least 2007, according to Mandiant.
Dive Insight:
Citrix on Tuesday released patches to address the vulnerability, which affects Citrix ADC and Citrix Gateway versions 12.1 and 13.0.
There are no workarounds available for the vulnerability and Citrix urged customers to install the updates immediately. The vulnerability only applies to customer hosted Citrix ADC or Citrix Gateway appliances.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” Peter Lefkowitz, VP and chief security and trust officer at Citrix, said in a blog post.
The NSA provided detailed threat hunting guidance to help organizations look for potential artifacts of compromise or malicious activity on impacted systems.
The agency advised organizations to investigate any positive result and noted evidence of compromise may vary based on the environment and stage of activity.
Organizations that detect potential malicious activity should move all Citrix ADC instances behind a VPN with multifactor authentication, isolate the Citrix ADC appliances to contain any malicious activity and restore to a known good state, the NSA said.
Citrix also published a deployment guide and a video to help organizations assess and remediate vulnerable instances in their environment.
The Cybersecurity and Infrastructure Security Agency last month alerted corporate administrators to three vulnerabilities, one which also had a CVSS score of 9.8, impacting the same Citrix appliances.