The US National Security Agency is warning that the threat group known as APT5 is exploiting bugs in Citrix’s Application Delivery Controller product.
Citrix said in its blog post that the bug, CVE-2022-27518, also affects its Gateway product.
The bug affects versions 12.1 and 13.0 before 13.0-58.32 of the products, if they are “configured with an SAML SP or IdP configuration to be affected”. SAML is an authentication protocol; IdP stands for “identity provider”.
The company has provided updated software to fix the issue.
The NSA’s advisory [pdf] states that exploits “can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls”.
It offered guidance on “steps organisations can take to look for possible artifacts of this type of activity”.
These include checking the integrity of executables in their Citrix environment by comparing MD5 hashes to known good binaries; checking logs for markers of APT5 activity; and using NSA-provided YARA signatures that can detect known APT5 malware.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
