Citrix ADM has admin password reset vulnerability

By on
Citrix ADM has admin password reset vulnerability

Nasty but hard to exploit, researcher says.

Citrix has warned users of its Application Delivery Management software that a security vulnerability in the product allows an attacker to reset the admin password.

ADM is a web-based management interface for various on-premises and cloud-hosted Application Delivery Controller products as well as Citrix Gateway and Citrix Secure Web Gateway.

In its advisory, Citrix explained that the vulnerability - CVE-2022-27511 - allows a remote, unauthenticated user to corrupt the system.

“The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted," it said.

A second, less severe vulnerability was disclosed as CVE-2022-27512: an attacker can disrupt the ADM licence service, preventing new licenses being issued or renewed.

“All supported versions of Citrix ADM server and Citrix ADM agent are affected by this vulnerability," the advisory stated, adding that Citrix ADM 13.1 before 13.1-21.53, and Citrix ADM 13.0 before 13.0-85.19, are the affected builds.

“Customers must upgrade both Citrix ADM server and all associated Citrix ADM agents”, the advisory noted.

Code White’s Florian Hauser (who co-discovered the bug with “@CaptnBanana”) 
tweeted that it is “hard to exploit but nonetheless [a] nasty bug”.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
admapplication delivery managementcitrixcyber securitypassword resetsecurity

Sponsored Whitepapers

Planning before the breach: You can&#8217;t protect what you can&#8217;t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don&#8217;t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

Most Read Articles

HTTP/3 becomes a standard, at last

HTTP/3 becomes a standard, at last
Coles appoints new head of FinTec

Coles appoints new head of FinTec
Supply chain woes delay SoftIron Sydney factory launch

Supply chain woes delay SoftIron Sydney factory launch
Australia Post's telco transformation named top IT project

Australia Post's telco transformation named top IT project

Digital Nation

IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age

Log In

  |  Forgot your password?