Citrix vulnerability exploited by ransomware group.
N2K logoJan 13, 2023

A vulnerability Citrix disclosed in November is now being actively exploited by the operators of Royal ransomware.

Citrix vulnerability exploited by ransomware group.

Researchers at At-Bay believe a critical Citrix vulnerability is being exploited by the Royal ransomware gang.

Authentication bypass vulnerability exploited.

Citrix disclosed CVE-2022-27510 on November 8th, 2022. The vulnerability “allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.” At-Bay researchers last week observed what appears to be the first known exploitation of the flaw in the wild:

“The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities we have seen in the past.

“It appears that Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorized access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks. Exploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups — especially critical infrastructure servers like those provided by Citrix.

“However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.”

The researchers recommend that organizations apply Citrix’s patches and mitigations as soon as possible.