Skip to Content

NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

Updated on 2022-12-19: Chinese hackers actively attacking flaw in Citrix gear

The NSA said in an advisory this week that APT5, a China-based espionage group, is exploiting a new Citrix zero-day in the wild. The advisory was designed to burn China’s ongoing activity by calling it out — and Citrix releasing patches. Citrix was generally praised for its response (even if the feds knocking on your door is an unwelcome surprise). Fortinet also patched a pre-auth RCE bug, and enterprise backup giant Veeam also confirmed it had two security flaws fixed earlier this year. Read more:

Overview: NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

According to an advisory from the US National Security Agency (NSA), the APT5 hacking group is exploiting an authentication control bypass vulnerability in Citrix Application Delivery Controller and gateway products. The NSA’s advisory provides “guidance to provide steps organizations can take to look for possible artifacts of this type of activity.” Citrix has released an update to fix the vulnerability.


  • This impacts the 12.1 and 13.0 versions (including FIPS and NDcPP builds) where you’ve configured an IDP or SAML authentication – which most of us are using for centralized authentication. While you can apply updates to these versions, the better fix is to go to 13.1 which is not affected. Even if you don’t have the SAML/IDP configuration today, apply the update so you’re ready when and if you do. While you’re at it, review the instructions for setting up auditing of unauthorized activity, make sure you didn’t miss any tricks.
  • From an actual risk perspective, wouldn’t it be more worrisome if the headlines said, “Grade School Kids Exploiting Citrix Vulnerability”? What I’d really like to see is a headline like “Grade School Kids Already Patched Their School’s Citrix Server.”
  • You can be certain that if Chinese APT groups are exploiting these vulnerabilities, criminal gangs and ransomware groups won’t be far behind. So please don’t think that “we are not a target for an APT group” is a reason not to address this vulnerability.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.