Updated on 2022-12-29
Thousands of Citrix servers still remain vulnerable to attacks due to two critical security flaws that received patches in recent months. The flaws can be abused to perform remote command execution.
Updated on 2022-12-28: Thousands of Citrix Servers Remain Unpatched
Within the past two months, Citrix has released updates to address two critical flaws: unauthorized access to gateway user capabilities (CVE-2022-27510) and unauthenticated remote arbitrary code execution (CVE-2022-27518). Despite the fact that Citrix released fixes for the flaws on November 8 (CVE-2022-27510) and December 13 (CVE-2022-27518), thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain unpatched.
Note
- The headline should probably read “Thousands of Citrix Servers are Compromised”. If your system is still not patched: Assume it to be compromised.
- Remember when you were certain nobody knew your stuff was not updated because “reasons?” Those days are gone, services like Shodan and Censys are really good at discovery and providing that information. Keep anything directly accessible to the Internet, including boundary protection and remote access services, at the top of your update and monitor list. If you’re not patching because you can’t get the downtime, you may want to recall that the cost of a single breach (CISA puts that at USD 10.1M for 2022) is likely more than the cost of implementing high-availability or the productivity hit for those few outages needed to stay current.
Overview: Citrix exposure
Fox-IT researchers said they found thousands of Citrix ADC and Gateway devices that are currently available online and vulnerable to CVE-2022-27518, a zero-day vulnerability that was exploited in the wild by Chinese state-sponsored hackers earlier this month. Read more: