Vulnerability Details : CVE-2022-27518
Unauthenticated remote arbitrary code execution
Products affected by CVE-2022-27518
- Citrix » Application Delivery Controller Firmware » Ndcpp EditionVersions from including (>=) 12.1 and before (<) 12.1-55.291cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:ndcpp:*:*:*
- Citrix » Application Delivery Controller FirmwareVersions from including (>=) 12.1 and before (<) 12.1-65.25cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
- Citrix » Application Delivery Controller Firmware » Fips EditionVersions from including (>=) 12.1 and before (<) 12.1-55.291cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:fips:*:*:*
- Citrix » Application Delivery Controller FirmwareVersions from including (>=) 13.0 and before (<) 13.0-58.32cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:gateway_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:gateway_firmware:*:*:*:*:*:*:*:*
CVE-2022-27518 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as administrator.
Notes:
https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/; https://nvd.nist.gov/vuln/detail/CVE-2022-27518
Added on
2022-12-13
Action due date
2023-01-03
Exploit prediction scoring system (EPSS) score for CVE-2022-27518
20.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-27518
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Citrix Systems, Inc. |
CWE ids for CVE-2022-27518
-
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Assigned by: secure@citrix.com (Secondary)
References for CVE-2022-27518
-
https://support.citrix.com/article/CTX474995
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518Vendor Advisory
Jump to