Citrix has warned users of its Application Delivery Management software that a security vulnerability in the product allows an attacker to reset the admin password.
ADM is a web-based management interface for various on-premises and cloud-hosted Application Delivery Controller products as well as Citrix Gateway and Citrix Secure Web Gateway.
In its advisory, Citrix explained that the vulnerability - CVE-2022-27511 - allows a remote, unauthenticated user to corrupt the system.
“The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted," it said.
A second, less severe vulnerability was disclosed as CVE-2022-27512: an attacker can disrupt the ADM licence service, preventing new licenses being issued or renewed.
“All supported versions of Citrix ADM server and Citrix ADM agent are affected by this vulnerability," the advisory stated, adding that Citrix ADM 13.1 before 13.1-21.53, and Citrix ADM 13.0 before 13.0-85.19, are the affected builds.
“Customers must upgrade both Citrix ADM server and all associated Citrix ADM agents”, the advisory noted.
Code White’s Florian Hauser (who co-discovered the bug with “@CaptnBanana”)
tweeted that it is “hard to exploit but nonetheless [a] nasty bug”.