9.8

CVE-2022-27518

Warning

Unauthenticated remote arbitrary code execution

Data is provided by the National Vulnerability Database (NVD)
CitrixApplication Delivery Controller Firmware SwEditionfips Version >= 12.1 < 12.1-55.291
CitrixApplication Delivery Controller Firmware SwEditionndcpp Version >= 12.1 < 12.1-55.291
CitrixApplication Delivery Controller Firmware Version >= 12.1 < 12.1-65.25
CitrixApplication Delivery Controller Firmware Version >= 13.0 < 13.0-58.32
CitrixGateway Firmware Version >= 12.1 < 12.1-65.25
   CitrixGateway Version-
CitrixGateway Firmware Version >= 13.0 < 13.0-58.32
   CitrixGateway Version-

13.12.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability

Vulnerability

Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as administrator.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 12.37% 0.936
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
secure@citrix.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-664 Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.