US security and intelligence agency NSA warns that hackers are exploiting zero days in Citrix networking devices. The exploits abuse vulnerabilities in Citrix application delivery controller (ADC) and Citrix Gateway.

According to the NSA, cybercrime group APT5 is actively exploiting a vulnerability tracked as CVE-2022-27518. APT5 often targets government agencies, telecom operators and other IT companies.

The vulnerability is present in builds 12.1 (including FIPS and NDcPP) and 13.0 for version 13.0-58.32 of Citrix ADC and Citrix Gateway. Threat actors can access company systems through ADCs and Gateways by bypassing authentication.

Citrix is aware of the vulnerability and has since released a patch. Users are advised to upgrade as soon as possible.

NSA

The NSA recommends companies follow a breach-prevention roadmap, investigate every suspicious result from monitoring systems and regularly check key executables for deviations from legitimate binaries. Cybercriminals tend to modify binaries during attacks.

Companies are also advised to regularly snapshot their environments and carefully monitor logs to catch attack indications. If an investigation suggests an attack is taking place, the company should gate all Citrix ADCs behind a VPN or other application that requires valid user authentication (ideally multi-factor).

In addition, NSA recommends companies isolate affected Citrix ADC and Gateway appliances from the rest of the IT environment to ensure malicious activity is contained. The agency urges users to report any insights and discoveries related to the vulnerability and exploits to the NSA Cybersecurity Collaboration Center.

Tip: Citrix moves forward with Citrix Workspace