Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability CVE-2022-27518
Release Date – Dec 13, 2022
CVE Details – CVE-2022-27518
Alert Severity – Critical
Affected Products –
Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
Citrix ADC 12.1-FIPS before 12.1-55.291
Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway version 13.1 is unaffected.
Description –
Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability which allows an attacker to execute code as administrator.
Mitigation/Solution –
Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 13.0-58.32 and later releases
- Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP
Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.
Multiple vulnerabilities present in VMware products
Mozilla Releases Security Update for Thunderbird – fix for CVE-2022-39249
