Skip to Content

NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

Updated on 2022-12-19: Chinese hackers actively attacking flaw in Citrix gear

The NSA said in an advisory this week that APT5, a China-based espionage group, is exploiting a new Citrix zero-day in the wild. The advisory was designed to burn China’s ongoing activity by calling it out — and Citrix releasing patches. Citrix was generally praised for its response (even if the feds knocking on your door is an unwelcome surprise). Fortinet also patched a pre-auth RCE bug, and enterprise backup giant Veeam also confirmed it had two security flaws fixed earlier this year. Read more:

Overview: NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

According to an advisory from the US National Security Agency (NSA), the APT5 hacking group is exploiting an authentication control bypass vulnerability in Citrix Application Delivery Controller and gateway products. The NSA’s advisory provides “guidance to provide steps organizations can take to look for possible artifacts of this type of activity.” Citrix has released an update to fix the vulnerability.


  • This impacts the 12.1 and 13.0 versions (including FIPS and NDcPP builds) where you’ve configured an IDP or SAML authentication – which most of us are using for centralized authentication. While you can apply updates to these versions, the better fix is to go to 13.1 which is not affected. Even if you don’t have the SAML/IDP configuration today, apply the update so you’re ready when and if you do. While you’re at it, review the instructions for setting up auditing of unauthorized activity, make sure you didn’t miss any tricks.
  • From an actual risk perspective, wouldn’t it be more worrisome if the headlines said, “Grade School Kids Exploiting Citrix Vulnerability”? What I’d really like to see is a headline like “Grade School Kids Already Patched Their School’s Citrix Server.”
  • You can be certain that if Chinese APT groups are exploiting these vulnerabilities, criminal gangs and ransomware groups won’t be far behind. So please don’t think that “we are not a target for an APT group” is a reason not to address this vulnerability.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on