CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated RCE in Citrix ADC and Citrix Gateway SAML

IdentifiersCVE-2022-27518CWE-94

CVE-2022-27518 is a critical unauthenticated remote code execution vulnerability affecting Citrix ADC and Citrix Gateway appliances, including Citrix ADC FIPS and NDcPP builds. The provided content states that the flaw allows remote arbitrary code execution without authentication and was exploited as a zero-day. Affected versions include Citrix ADC and Gateway 13.0 before 13.0-58.32, 12.1 before 12.1-65.25, and Citrix ADC FIPS/NDcPP 12.1 before 12.1-55.291. Based on the supplied advisory context, exploitation is only possible when the appliance is configured with SAML SP or SAML IdP functionality, as indicated by SAML-related entries such as "add authentication samlAction" or "add authentication samlIdPProfile" in ns.conf. The specific vulnerable function or code path is not provided in the content.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code on a vulnerable Citrix ADC or Gateway appliance. Because these devices commonly sit at the network edge and broker access to internal resources, compromise can provide a high-value foothold for follow-on intrusion activity, including persistence, credential theft, lateral movement, and broader enterprise compromise. The content also notes active zero-day exploitation attributed by NSA to APT5.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, place affected appliances behind a firewall or VPN, reduce direct internet exposure, and segment them from other internal networks to limit blast radius. Review Citrix guidance and use the NSA threat hunting guidance referenced in the content to look for behavioral indicators of compromise. Verify whether SAML SP or SAML IdP is enabled by inspecting ns.conf for entries such as "add authentication samlAction" or "add authentication samlIdPProfile."

Remediation

Patch, then assume compromise.

Apply Citrix-provided patches to affected systems. The content identifies fixed versions as Citrix ADC and Gateway 13.0-58.32 and later, 12.1-65.25 and later, and Citrix ADC FIPS/NDcPP 12.1-55.291 and later. Administrators should prioritize patching all internet-exposed affected appliances immediately and follow Citrix’s published mitigation and post-compromise guidance where relevant.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Citrix SystemsApplication Delivery Controller Firmwareoperating_system

Citrix SystemsCitrix Deviceshardware

Citrix SystemsDeviceshardware

Citrix SystemsGateway Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

tenable blogNews

Aug 26, 2025

CVE-2025-7775: Citrix NetScaler ADC and NetScaler Gateway Zero-Day Remote Code Execution Vulnerability Exploited in the Wild

A previously favored Citrix NetScaler ADC/Gateway vulnerability that has historically been targeted by multiple state-sponsored and ransomware threat actors.

mitre attack websiteNews

Feb 5, 2024

APT5, Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630, Group G1023 | MITRE ATT&CK®

A specific vulnerability exploited for illegitimate access in SPACEHOP/APT5 activity, in the context of externally facing software and devices including Citrix Application Delivery Controllers.

trustwave spiderlabs blogNews

Dec 15, 2022

Trustwave Action Response: Zero-Day Vulnerability in Citrix ADC (CVE-2022-27518)

A critical unauthenticated remote code execution vulnerability affecting Citrix ADC and Citrix Gateway systems configured with SAML SP or IdP.

mitre attack websiteNews

Mar 20, 2015

Exploit Public-Facing Application, Technique T1190 - Enterprise | MITRE ATT&CK®

A vulnerability exploited for illegitimate access during SPACEHOP Activity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-27518

NVD

nvd.nist.gov/vuln/detail/CVE-2022-27518

MITRE CWE · CWE-94

cwe.mitre.org

Vendor Advisory

support.citrix.com/article/CTX474995

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27518