Project Hyphae

Citrix ADC and Gateway under active exploit

Share This Post

A vulnerability has been discovered in Citrix ADC and Citrix Gateways that can allow for unauthorized Remote Code Execution (RCE). This is a critical zero-day vulnerability and you should patch now. The following versions are affected:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
  • Citrix ADC 12.1-FIPS before 12.1-55.291 
  • Citrix ADC 12.1-NDcPP before 12.1-55.291 

You can find their security bulletin here:

At this point Citrix is aware of a small group of targeted attacks in the wild. However, it will not take long before it is exploited by other malicious actors. SAML IP or IdP must be configured for the exploit, and administrators can inspect their ns.conf files for the following:

  • add authentication samlAction
  • add authentication samlIdPProfile

As this vulnerability is known to have been exploited in the wild, threat-hunting should occur for any affected devices to ensure that they were not exploited. In similar situations with vulnerabilities of this type (think Log4J, ProxyShell, ProxyLogon, previous Netscaler/ADC vulnerabilities) threat-actors have exploited devices very quickly, established persistence, and launched attacks later. The NSA has provided some threat-hunting guidance for the impacted devices at the following URL:

Any in case, this is one that deserves your attention. For additional information or how to update, please see Citrix’s blog post:

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.