CVE-2022-27518

What is Citrix ADC/Gateway?

Citrix Application Delivery Controller (ADC), formerly NetScaler ADC, is a widely deployed enterprise application delivery and security platform providing load balancing, SSL offload, WAF functionality, and remote access VPN. Citrix Gateway (formerly NetScaler Gateway) is the VPN/remote access component, enabling secure employee remote access to corporate applications. These are internet-facing appliances deployed by thousands of enterprises and government agencies, making vulnerabilities in them extremely high-value for nation-state actors targeting corporate networks.

Overview

CVE-2022-27518 is a critical authentication bypass vulnerability in Citrix ADC and Gateway when configured with SAML SP (Service Provider) or IdP (Identity Provider) mode. An unauthenticated attacker can exploit this flaw to execute code as an administrator on the vulnerable appliance. CVSS 9.8. The NSA and CISA jointly published a threat hunting advisory attributing active exploitation to APT5, a China-linked nation-state threat group focused on telecommunications and technology sectors, on the same day Citrix released the patch — a rare and notable coordinated disclosure indicating confirmed targeted exploitation.

Affected Versions

Only systems configured as a SAML SP or IdP are exploitable. Deployments without SAML configuration are not affected.

Technical Details

The vulnerability (CWE-664 — improper control of a resource through its lifetime) is an authentication bypass in the SAML processing code of Citrix ADC/Gateway. SAML (Security Assertion Markup Language) is an XML-based authentication federation standard. When the appliance is configured as a SAML SP or IdP, the SAML assertion processing component contains a flaw that allows an attacker to send a specially crafted HTTP request that bypasses authentication and executes code with administrator privileges on the appliance OS.

The specific technical mechanism was not publicly disclosed by Citrix, but the CWE category and "execute code as administrator" impact suggest a memory safety or state management issue in the SAML XML parser or assertion handler that can be exploited without valid credentials.

Discovery

The NSA/CISA advisory indicates the vulnerability was identified through threat intelligence — APT5 was observed exploiting this vulnerability in targeted attacks before Citrix released the patch. The coordinated same-day release of the patch and the NSA attribution advisory is exceptional and signals high urgency.

Exploitation Context

APT5 (also tracked as UNC2630 by Mandiant and BRONZE FLEETWOOD by Secureworks) is a China-nexus espionage group focused on telecommunications, satellite, and defense technology sectors. The group has a history of targeting internet-facing network appliances to gain persistent access to enterprise networks — a pattern also seen in their exploitation of Pulse Secure VPN (2021) and other perimeter devices.

Exploitation goals observed from APT5 campaigns:

• Persistent implant installation: Deploying custom malware to survive firmware updates
• Credential harvesting: Capturing VPN credentials, SAML tokens, and session data for downstream access
• Network pivoting: Using the appliance as a beachhead to access internal enterprise systems
• Long-term surveillance: Maintaining access to high-value government and defense contractor networks

The Citrix ADC is particularly valuable because it handles all remote access authentication, giving a foothold into every authenticated VPN session.

Remediation

1. Apply Citrix patch immediately: Update to the fixed build for your version per CTX474995. This is a targeted nation-state exploitation — do not wait.
2. Check SAML configuration: Confirm whether your ADC is configured as a SAML SP or IdP (the only vulnerable configurations). If not using SAML, the risk is reduced but patching is still required.
3. Use NSA/CISA threat hunting guidance: The NSA/CISA advisory includes specific indicators of compromise (IoCs) and threat hunting queries for detecting APT5 activity — apply these to your environment.
4. Review for persistence mechanisms: APT5 is known for installing persistent backdoors. After patching, audit for unexpected processes, files, and configuration changes on the ADC appliance.
5. Rotate credentials: Assume any credentials that traverse the Citrix Gateway (VPN, SAML assertions, certificates) may have been harvested. Rotate service account passwords, certificates, and SAML signing keys.
6. Enable enhanced logging: Configure Citrix ADC to log SAML authentication events and forward logs to a SIEM for ongoing monitoring.