CVE-2022-27518 exploited in the wild by APT5: everything you need to know

Detect and mitigate CVE-2022-27518, a Citrix ADC and Gateway unauthenticated RCE 0-day exploited in the wild by a nation state actor. Organizations should patch urgently.

2 minutes read

On December 13, 2022, the National Security Agency (NSA) released an advisory warning of exploitation in-the-wild of Citrix products by APT5, a threat actor attributed to China. The impacted product is Citrix Application Delivery Controller (ADC), formerly known as NetScaler, which provides orchestration and automation for applications across cloud or hybrid environments. Deployments exist for AWS, Azure, GCP, and more. The vulnerability is detected by Wiz.

What is CVE-2022-27518?

According to Citrix, this vulnerability allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. By targeting vulnerable instances of Citrix ADC, attackers can exploit this vulnerability to bypass authentication controls and obtain access to targeted organizations.

Based on the information released by Citrix, this 0-day vulnerability only impacts older versions of Citrix products. Even though a fix for CVE-2022-27518 has only been made available today, all versions of the affected product released during the past 2 years are not in fact vulnerable.

Wiz Research data: how many organizations are vulnerable?       

Based in our data, less than 1% of cloud enterprise environments are vulnerable to this 0-day.

What sort of exploitation has been identified in the wild?

According to the NSA and Citrix, this vulnerability is being actively exploited by APT5 (also known as UNC2630 and MANGANESE), a Chinese state-backed threat actor that has been known to target telecommunications and technology companies and has previously exploited vulnerabilities in Pulse Secure VPNs. Exact details about the exploit are not publicly available at this time, but the NSA has published guidance on detecting this malicious activity in potentially affected environments.

Which products are affected?

The following versions of Citrix ADC and Citrix Gateway (a feature-reduced offering of ADC) are affected by this vulnerability:

·       Citrix ADC and Citrix Gateway 13.0 – all versions earlier than 13.0-58.32

·       Citrix ADC and Citrix Gateway 12.1 – all versions earlier than 1-65.25

·       Citrix ADC 12.1-FIPS – all versions earlier than 12.1-55.291

·       Citrix ADC 12.1-NDcPP – all versions earlier than 12.1-55.291

Citrix ADC and Citrix Gateway version 13.1 are unaffected.

Exploitation of this vulnerability is limited to customer-managed Citrix ADC and Citrix Gateway appliances with a SAML service provider (SP) or SAML identity provider (IdP) configuration. Customers can determine if their appliances are configured as such by checking the ns.conf file for either of the following lines: add authentication samlAction or add authentication samlIdPProfile.

Which actions should security teams take?

Customers using affected versions of Citrix ADC or Citrix Gateway should either update to version 12.1-65.25, 13.0-88.16, or any 13.1 build (as this branch is unaffected by the vulnerability). Alternatively, customers can disable SAML authentication as a workaround if possible.

For customers of Citrix-managed cloud services or Citrix-managed Adaptive Authentication, no action is required.

The NSA has published APT5: Citrix ADC Threat Hunting Guidance, and customers can follow this guidance to detect indicators of exploitation in vulnerable environments.


Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

CVE-2022-27518 in Wiz Threat Center


Critical security update now available for Citrix ADC, Citrix Gateway

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518

APT5: Citrix ADC Threat Hunting Guidance

EVEN MORE TO DISCOVERReady to see for yourself?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
Chipotle Logo
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Blackstone Logo
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Mars Logo
Greg PoniatowskiHead of Threat and Vulnerability Management

Continue reading

Secret-based cloud supply-chain attacks: Case study and lessons for security teams

CI/CD pipelines, as an essential part of the software development process, are an attractive target to malicious actors. Based on our research of cloud environments, we share common misconfigurations and provide tips on how to remediate them in order to prevent supply-chain attacks.

Introducing Azure Least Privilege: Enforce least privilege access for Azure environments

Wiz extends its CIEM capabilities to enable least privilege access for Azure environments.

Top Security Talks from AWS re:Invent 2022

AWS re:Invent is the largest conference of the year for Amazon Web Services (AWS) with hundreds of talks. We picked our favorite cloud security talks that are available online.