Thousands of Citrix servers could be at risk of attack

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Many Citrix ADC and Gateway servers remain vulnerable to high-severity flaws that were reportedly patched by the company weeks ago, experts have claimed.

In early November 2022, Citrix uncovered and patched an “Unauthorized access to Gateway user capabilities” flaw, since tracked as CVE-2022-27510. Affecting both products, it allows an attacker to gain authorized access to target endpoints, take over the devices remotely, and bypass the device’s brute force login protection.

Roughly a month later, in mid-December, the company fixed an “Unauthenticated remote arbitrary code execution” flaw, since tracked as CVE-2022-27518. This one allows threat actors to execute malicious code on the target endpoint, remotely.

NSA warning

Both have a 9.8/10 severity score, and at least one of them was abused in the wild as a zero-day, researchers from NCC Group’s Fox IT team claim.

In fact, the US National Security Agency (NSA) warned in early December, that a hacking collective backed by the Chinese state was exploiting the latter vulnerability as a zero-day security flaw. 

Back then, in an official blog post, chief security and trust officer at Citrix Peter Lefkowitz claimed that “limited exploits of this vulnerability have been reported,” but did not elaborate on the number of attacks or the industries involved.

Sometimes referred to as Manganese,  this group of threat actors has apparently explicitly targeted networks running these Citrix applications to break through organizational security without first having to steal credentials via social engineering and phishing attacks. 

The researchers have also said that while the majority of endpoints had been patched since the release of the fixes, there are “thousands” of vulnerable servers out there. As of November 11 2022, at least 28,000 Citrix servers were found to have been at risk.

“We hope this blog creates extra awareness for these two Citrix CVEs and that our research on version identification contributes to future studies,” the researchers concluded.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.