CVE-2022-27518

critical

Description

Unauthenticated remote arbitrary code execution

From the Tenable Blog

CVE-2022-27518: Unauthenticated RCE in Citrix ADC and Gateway

Published: 2022-12-13

Citrix has patched a critical remote code execution vulnerability in its Gateway and ADC products. This vulnerability has reportedly been exploited as a zero day; organizations should patch urgently.

References

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks

https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/

https://thehackernews.com/2023/03/from-ransomware-to-cyber-espionage-55.html

https://www.mandiant.com/resources/blog/zero-days-exploited-2022

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF

https://www.tenable.com/blog/cve-2023-4966-citrix-netscaler-adc-and-netscaler-gateway-information-disclosure-exploited-in

https://www.tenable.com/blog/cve-2023-3519-critical-rce-in-netscaler-adc-citrix-adc-and-netscaler-gateway-citrix-gateway

https://www.tenable.com/blog/cve-2022-27518-unauthenticated-rce-in-citrix-adc-and-gateway

https://support.citrix.com/article/CTX474995

Details

Source: Mitre, NVD

Published: 2022-12-13

Updated: 2025-02-14

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H