Thousands of Unpatched Citrix Servers Vulnerable to Critical Flaws

Two critically important security vulnerabilities that Citrix fixed in recent months, still remain vulnerable on thousands of Citrix gateways and ADCs (Citrix Application Delivery Controller) used across the enterprise.

Here are the two security flaws that have been identified:-

Fixed Critical Flaws

  • CVE ID: CVE-2022-27510
  • Description: It is an unauthorized access to Gateway user capabilities flaw and it impacts both Citrix products.
  • CVSS Score: 9.8
  • Severity: CRITICAL

A malicious user may be able to exploit the CVE-2022-27510 vulnerability to gain unauthorized access to the device, execute a remote desktop takeover, or bypass login security measures.

  • CVE ID: CVE-2022-27518
  • Description: It’s an unauthenticated remote arbitrary code execution flaw.
  • CVSS Score: 9.8
  • Severity: CRITICAL

Using the CVE-2022-27518 vulnerability, attackers can execute remote commands on vulnerable devices to take control of them without needing to authenticate themselves.

As soon as Citrix published a security update to fix CVE-2022-27518, it was found that threat actors were actively exploiting this vulnerability.

Vulnerable Versions Identified

In an online scan completed by Fox IT analysts on November 11, 2022, over 28,000 Citrix servers were found to be live on the internet.

The researchers had to learn the version number of each of the exposed ones, which was not provided in the HTTP response from the servers, in order to determine how many of the exposed ones were vulnerable to these two flaws.

As part of the response, Citrix ADC and Gateway product versions could be identified using MD5 hash-like parameters provided by the responses.

When the hashes that were given to the researchers were not able to be matched to the versions sourced, the researchers had to deduce their version number by using the build date calculated on the hashes.

Having done so, the number of unknown versions has been further reduced, but in general, it can be said that most hashes were associated with specific versions of specific products.

Below is a graph showing the top 20 active versions that are currently present on the internet:-

The following are the countries that have been the most prompt in patching as far as patching speed is concerned:-

  • The United States
  • Germany
  • Canada
  • Australia
  • Switzerland

In this scenario, cybersecurity analysts have done an in-depth analysis of the disk images exported from Google Cloud Marketplace using dissect to identify the version of Citrix ADC and Citrix Gateway servers.

From the statistics that were gathered by the Fox IT team, there is still much work that needs to be done to close all of the security gaps that are still present in Citrix management systems, with the remaining critical flaws being identified by the team recently.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago