CVE-2022-27518

Description

Unauthenticated remote arbitrary code execution

Add Assessment

ccondon-r7 (280)

December 13, 2022 11:06pm UTC (1 year ago)•

Ratings

Attacker Value

Very High

Exploitability

Medium

Common in enterprise Gives privileged access Unauthenticated

Technical Analysis

Lots of advanced-ish threat notifications this week…Citrix published a security advisory and a companion blog on this zero-day bug today, noting that it’s been exploited in the wild. The NSA also released information about APT 5 targeting Citrix ADC installations; their bulletin includes threat intel.

ADC is always a nice target, and often hangs out on the internet. Leaving “Exploitability” as a medium for now since there’s not a ton on the vuln inself, other than that it’s SAML-related. I’d expect more vuln details out on this one shortly, and probably a rise in exploitation—just in time for the holidays.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

citrix

Products

application delivery controller firmware,
gateway firmware

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Vendor Advisory (https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/)

Reported: December 13, 2022 6:35pm UTC (1 year ago)

mkienow-r7 indicated sources as

Vendor Advisory (https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: December 13, 2022 10:14pm UTC (1 year ago) • Edited 1 year ago

ccondon-r7 indicated source as Vendor Advisory (https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/)

Reported: December 13, 2022 11:06pm UTC (1 year ago) • Edited 1 year ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/12/13/cisa-adds-five-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:33am UTC (6 days ago)

References

Canonical

CVE-2022-27518 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27518)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-27518_POC (https://github.com/dolby360/CVE-2022-27518_POC) (Added by AKB Worker)

Miscellaneous

https://support.citrix.com/article/CTX474995

Rapid7

Very High

Very High

Moderate

None

None

Network

CVE-2022-27518

Description