CVE-2022-27518 exploited in the wild by APT5: everything you need to know

Detect and mitigate CVE-2022-27518, a Citrix ADC and Gateway unauthenticated RCE 0-day exploited in the wild by a nation state actor. Organizations should patch urgently.

2 minutes read

On December 13, 2022, the National Security Agency (NSA) released an advisory warning of exploitation in-the-wild of Citrix products by APT5, a threat actor attributed to China. The impacted product is Citrix Application Delivery Controller (ADC), formerly known as NetScaler, which provides orchestration and automation for applications across cloud or hybrid environments. Deployments exist for AWS, Azure, GCP, and more. The vulnerability is detected by Wiz.

What is CVE-2022-27518?

According to Citrix, this vulnerability allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. By targeting vulnerable instances of Citrix ADC, attackers can exploit this vulnerability to bypass authentication controls and obtain access to targeted organizations.

Based on the information released by Citrix, this 0-day vulnerability only impacts older versions of Citrix products. Even though a fix for CVE-2022-27518 has only been made available today, all versions of the affected product released during the past 2 years are not in fact vulnerable.

Wiz Research data: how many organizations are vulnerable?       

Based in our data, less than 1% of cloud enterprise environments are vulnerable to this 0-day.

What sort of exploitation has been identified in the wild?

According to the NSA and Citrix, this vulnerability is being actively exploited by APT5 (also known as UNC2630 and MANGANESE), a Chinese state-backed threat actor that has been known to target telecommunications and technology companies and has previously exploited vulnerabilities in Pulse Secure VPNs. Exact details about the exploit are not publicly available at this time, but the NSA has published guidance on detecting this malicious activity in potentially affected environments.

Which products are affected?

The following versions of Citrix ADC and Citrix Gateway (a feature-reduced offering of ADC) are affected by this vulnerability:

·       Citrix ADC and Citrix Gateway 13.0 – all versions earlier than 13.0-58.32

·       Citrix ADC and Citrix Gateway 12.1 – all versions earlier than 1-65.25

·       Citrix ADC 12.1-FIPS – all versions earlier than 12.1-55.291

·       Citrix ADC 12.1-NDcPP – all versions earlier than 12.1-55.291

Citrix ADC and Citrix Gateway version 13.1 are unaffected.

Exploitation of this vulnerability is limited to customer-managed Citrix ADC and Citrix Gateway appliances with a SAML service provider (SP) or SAML identity provider (IdP) configuration. Customers can determine if their appliances are configured as such by checking the ns.conf file for either of the following lines: add authentication samlAction or add authentication samlIdPProfile.

Which actions should security teams take?

Customers using affected versions of Citrix ADC or Citrix Gateway should either update to version 12.1-65.25, 13.0-88.16, or any 13.1 build (as this branch is unaffected by the vulnerability). Alternatively, customers can disable SAML authentication as a workaround if possible.

For customers of Citrix-managed cloud services or Citrix-managed Adaptive Authentication, no action is required.

The NSA has published APT5: Citrix ADC Threat Hunting Guidance, and customers can follow this guidance to detect indicators of exploitation in vulnerable environments.


Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

CVE-2022-27518 in Wiz Threat Center


Critical security update now available for Citrix ADC, Citrix Gateway

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518

APT5: Citrix ADC Threat Hunting Guidance

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management