The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems.
The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control.
Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP).
The following supported versions of Citrix ADC and Citrix Gateway are affected by the vulnerability -
Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available βbeyond disabling SAML authentication or upgrading to a current build.β
The virtualization services provider said itβs aware of a βsmall number of targeted attacks in the wildβ using the flaw, urging customers to apply the latest patch to unmitigated systems.
APT5, also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to operate on behalf of Chinese interests. Last year, Mandiant revealed espionage activity targeting verticals that aligned with government priorities outlined in Chinaβs 14th Five-Year Plan.
Those attacks entailed the abuse of a then-disclosed flaw in Pulse Secure VPN devices (CVE-2021-22893, CVSS score: 10.0) to deploy malicious web shells and exfiltrate valuable information from enterprise networks.
βAPT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments,β NSA said. βTargeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.β
Microsoft, last month, pointed out Chinese threat actorsβ history of discovering and using zero days to their advantage before being picked up by other adversarial collectives in the wild.
News of the Citrix bug also comes a day after Fortinet revealed a severe vulnerability that also facilitates remote code execution in FortiOS SSL-VPN devices (CVE-2022-42475, CVSS score: 9.3).
In a related development, VMware disclosed details of two critical flaws impacting ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that could result in command injection and code execution.
βOn ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,β the company said in a security bulletin for CVE-2022-31705.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.