Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.
Citrix sounded the alarm via a critical-severity bulletin documenting CVE-2022-27518, a pre-auth remote code execution bug affecting the Citrix ADC and Citrix Gateway network appliances.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the Florida-based company said.
In tandem with Citrix’s release of the emergency fix, the US government’s National Security Agency (NSA) connected the in-the-wild zero-day attacks to APT5, a Chinese hacking group notorious for targeting telecommunications and technology companies.
The APT5 hacking group, also known as Manganese or Keyhole Panda, has been active since at least 2007 and has been observed targeting organizations and individuals in Southeast Asia.
[ Read: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw ]
Now, the NSA wants U.S. organizations to play close attention to this threat actor, noting that the targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication control
The NSA published a threat hunting guidance document to expose some of the tools and tactics used by APT5 in the latest Citrix ADC exploitation and urged corporate defenders to move all Citrix ADC instances behind a VPN or implement multi-factor authentication mitigations.
In its bulletin, Citrix said the security defect allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. The company said the Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for the vulnerability to trigger.
“Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the company said.
[ Read: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack ]
This is the second confirmed in-the-wild zero-day attack documented this week, coming on the heels of Fortinet’s emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product.
Fortinet described the bug as a critical memory corruption that allows a “remote unauthenticated attacker” to launch harmful code or execute commands on a target system.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” the company said, listing artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.
So far this year, there have been at least 50 publicly documented in-the-wild zero-day attacks, according to data tracked by SecurityWeek.
Related: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack
Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw
Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities
Related: FBI, CISO Issue Joint Warning for Attacks Targeting Fortinet FortiOS

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Plugs Critical Flaws in Network Monitoring Product
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
