Citrix has fixed two Critical Application Delivery Management (ADM) vulnerabilities (CVE-2022-27511 and CVE-2022-27512).
An attacker could exploit some of these vulnerabilities to take control of unpatched systems.
The Citrix ADM security update addresses the following Critical vulnerabilities:
- CVE-2022-27511: Corruption of the system by a remote, unauthenticated user potentially leading to the reset of the administrator password.
- CVE-2022-27512: Temporary disruption of the ADM license service.
For the first issue, Citrix warned that a remote, unauthenticated user could corrupt an unpatched system. As a result, a bad actor could reset the administrator password at the next device reboot, “allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.”
The second issue could lead to temporary disruption of the ADM license service and prevent new licenses from being issued or renewed.
Affected versions include: Citrix ADM 13.1 before 13.1-21.53 and Citrix ADM 13.0 before 13.0-85.19.
Citrix also strongly recommends mitigations to reduce risk of exploitation of these issues. For example, organizations should logically or physically segment network traffic to the Citrix ADM’s IP address from standard network traffic.