Attacker Value

Very High

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2022-27518

Disclosure Date: December 13, 2022 •

CVE-2022-27518 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7 and 2 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Unauthenticated remote arbitrary code execution

Add Assessment

ccondon-r7 (232)

December 13, 2022 11:06pm UTC (1 year ago)•

Ratings

Attacker Value

Very High

Exploitability

Medium

Common in enterprise Gives privileged access Unauthenticated

Technical Analysis

Lots of advanced-ish threat notifications this week…Citrix published a security advisory and a companion blog on this zero-day bug today, noting that it’s been exploited in the wild. The NSA also released information about APT 5 targeting Citrix ADC installations; their bulletin includes threat intel.

ADC is always a nice target, and often hangs out on the internet. Leaving “Exploitability” as a medium for now since there’s not a ton on the vuln inself, other than that it’s SAML-related. I’d expect more vuln details out on this one shortly, and probably a rise in exploitation—just in time for the holidays.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

citrix

Products

application delivery controller firmware,
gateway firmware

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Vendor Advisory (https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/)

Reported: December 13, 2022 6:35pm UTC (1 year ago)

mkienow-r7 indicated sources as

Vendor Advisory (https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: December 13, 2022 10:14pm UTC (1 year ago) • Edited 1 year ago

ccondon-r7 indicated source as Vendor Advisory (https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/)

Reported: December 13, 2022 11:06pm UTC (1 year ago) • Edited 1 year ago

References

Canonical

CVE-2022-27518 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27518)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

CVE-2022-27518_POC (https://github.com/dolby360/CVE-2022-27518_POC)

Miscellaneous

https://support.citrix.com/article/CTX474995

Rapid7

Very High

CVE-2022-27518

Very High

Moderate

None

None

Network

CVE-2022-27518

Description