Experts say many Citrix ADC and Gateway servers are still vulnerable to serious vulnerabilities that the company reportedly fixed a few weeks ago.
In early November 2022, Citrix discovered and patched the “Unauthorized Access to Gateway User Capabilities” vulnerability, since tracked as CVE-2022-27510. By affecting both products, it allows an attacker to gain authorized access to the targeted endpoints (opens in a new tab)remotely take control of devices and bypass device protection against brute force login.
About a month later, in mid-December, the company fixed the “Unauthenticated Remote Arbitrary Code Execution” bug that was tracked as CVE-2022-27518. This allows cybercriminals to remotely execute malicious code on the targeted endpoint.
Both have a severity rating of 9.8/10, and at least one of them has been used as a zero-day in the wild, researchers from the Fox IT NCC Group team say.
In fact, the US National Security Agency (NSA) warned in early December that a Chinese state-backed hacking collective is exploiting the latter as a zero-day vulnerability.
At the time, in an official blog post, Citrix Director of Security and Trust Peter Lefkowitz stated that “limited exploitation of this vulnerability has been reported,” but did not elaborate on the number of attacks or the industries involved.
This group of cybercriminals, sometimes referred to as the Manganese, clearly targeted the networks running these Citrix applications in order to breach the organization’s security without first having to steal credentials through social engineering and phishing attacks.
The researchers also said that while most endpoints have been patched since the patches were released, there are “thousands” of vulnerable servers. As of November 11, 2022, at least 28,000 Citrix servers were at risk.
“We hope this blog will raise awareness of these two Citrix CVEs and that our version identification research will contribute to future research,” the researchers concluded.
Through: Beeping Computer (opens in a new tab)