How to Fix CVE-2022-27518: Citrix ADC and Gateway Unauthenticated RCE (APT5)

*By Sai Kiran Pandrala*

⚠️ NSA-attributed zero-day. This was used by Chinese-state-aligned APT5 against US defense industrial base targets. If you ran an affected Citrix ADC with SAML configured in late 2022 and haven't patched, treat it as a confirmed compromise.

What is CVE-2022-27518?

CVE-2022-27518 is an unauthenticated remote code execution vulnerability in Citrix ADC and Citrix Gateway. The exploit precondition: the appliance must be configured as a SAML Service Provider (SP) or SAML Identity Provider (IdP). When this configuration is present, an attacker can send a crafted request that triggers the vulnerable SAML code path and gains code execution as the ADC service account.

The NSA published a joint cybersecurity advisory (with CISA and FBI) in December 2022 documenting APT5's use of this CVE. The targets included US defense industrial base companies. APT5 dropped a tampered Tomcat backdoor on compromised appliances for persistent access.

Am I affected?

You are affected if all are true:

1. You run Citrix ADC or Citrix Gateway at 12.1 or 13.0 (any build below the fix).
2. You have SAML SP or SAML IdP virtual server configured.

Note: Citrix ADC 12.1 reached end of maintenance in November 2023, newer fixes are not coming. Migrate.

Check your version:

show version

Check whether SAML SP/IdP is configured:

show authentication samlAction
show authentication samlIdPProfile

If either returns configured entries, the vulnerable path is reachable.

How to fix CVE-2022-27518

1. Open Citrix CTX474995 and the NSA joint advisory for context.
2. Download the patched ADC firmware from Citrix Downloads.
3. Plan a maintenance window (5-10 min ADC reboot).
4. For HA pairs, upgrade secondary, fail over, upgrade primary.
5. Apply the firmware via the GUI or CLI per Citrix's documented procedure.
6. Verify with show version.

IoC hunt (per NSA advisory)

The NSA published specific indicators of the APT5 tampered Tomcat artifact. Look for:

• Modified Tomcat installation files on the ADC (/var/netscaler/ paths).
• Unexpected reverse-shell processes or persistent connections.
• The NSA advisory PDF includes file hashes and TTP details — use those as the IoC reference.

If any IoC is present, the appliance is compromised. Rotate every credential it holds, rebuild from a known-clean firmware install (not just patch in place), and consider taking forensic disk image first.

Upgrade the Citrix ADC / NetScaler

# Confirm the running build
show ns version

# Stage the patched build from the Citrix advisory: https://support.citrix.com/article/CTX474995
shell scp <admin>@<filesvr>:/<patched-build>.tgz /var/nsinstall/
shell tar -xzf /var/nsinstall/<patched-build>.tgz -C /var/nsinstall/
shell /var/nsinstall/installns -Y

# After reboot
show ns version

Verify the fix landed

# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://support.citrix.com/article/CTX474995
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2022-27518 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

• Disable the SAML SP/IdP configuration as the most effective interim control:

# Vendor advisory: https://support.citrix.com/article/CTX474995/
  rm authentication samlAction <name>
  rm authentication samlIdPProfile <name>

(This breaks SAML SSO. Use OAuth or local authentication temporarily.)

• Restrict Gateway/AAA virtual server access to known partner / customer IP ranges.

How to verify the fix worked

1. show version shows the patched build.
2. Re-enable SAML if you disabled it.
3. Run a vulnerability scan against the ADC. CVE-2022-27518 detection should clear.
4. IoC hunt should come back clean (or be remediated).

Frequently asked questions

Is CVE-2022-27518 actively exploited?

Yes. CVE-2022-27518 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2022-27518?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://support.citrix.com/article/CTX474995/

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official Citrix CTX474995: https://support.citrix.com/article/CTX474995/
• NSA / CISA / FBI joint advisory (PDF): https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27518
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from Citrix CTX474995, the NSA joint advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the Citrix bulletin before applying changes in production.*

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2024-8069: Insecure Deserialization in Citrix Session Recording Citrix Session Recording — Insecure Deserialization in Citrix Session Recording Citrix Session Recording
• How to Fix CVE-2020-8196: Improper Access Control - Generic (CWE-284) , Improper Access Control - Generic (CWE-284)
• How to Fix CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller , Improper Access Control in Citrix ShareFile storage zones controller
• How to Fix CVE-2020-8195: Improper Input Validation (CWE-20) , Improper Input Validation (CWE-20)
• How to Fix CVE-2017-6316: n/a in Citrix NetScaler SD-WAN Enterprise , n/a in Citrix NetScaler SD-WAN Enterprise