Critical Vulnerability in Citrix ADC and Citrix Gateway

Published on 09 Nov 2022

Updated on 09 Nov 2022

Citrix has released security updates to address a critical vulnerability (CVE-2022-27510) in their Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerability affects appliances that are operating as a Gateway (using SSL VPN functionality or deployed as an independent computing architecture (ICA) proxy with authentication enabled). Successful exploitation of the vulnerability could allow attackers to execute authentication bypass using an alternate path or channel.

The following versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

Administrators and users of the affected product versions are advised to upgrade to the latest versions immediately.

More information is available at:

https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516

https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-critical-adc-gateway-auth-bypass/