The Department of Health and Human Services is urging healthcare entities to patch a critical vulnerability in Citrix products after successful exploitations in the industry. (Photo by Justin Sullivan/Getty Images)Provider organizations are being urged to prioritize patching of a critical vulnerability in the Citrix Application Delivery Controller and Gateway platforms, as threat actors have already compromised multiple healthcare entities by exploiting the flaw.Ranked 9.8 in severity, the Department of Health and Human Services Cybersecurity Coordination Center alert warns the vulnerability can allow an unauthenticated remote attacker to execute commands and completely compromise targeted systems.“Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” according to the National Security Agency threat hunting guidance specific to the Citrix ADC targeting.
The CVE-2022-27518 flaw is used in Citrix products across multiple sectors and is currently under active exploit “by a highly capable state-sponsored adversary.” Given the ongoing targeting, Citrix is limiting the details it releases about the flaw.Citrix has issued a patch for the zero-day vulnerability and a blog describing the problem and needed mitigation measures. The permanent fixes are available to download through Citrix. As noted in the HC3 alert, the concern is that the flaw is currently being targeted and successfully exploited by APT5, or UNC2630, a Chinese state-sponsored advanced persistent threat. HCS notes that the specific attacker has not yet been identified in the attacks and compromises on U.S. healthcare organizations. Versions 12.1, including FIPS and NDcPP, and 13.0 before 13.0-58.32 are affected by the flaw. Citrix researchers explained that both of the platforms “must be configured with an SAML SP or IdP configuration to be affected. Entities using “an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately.”There are no available workarounds for the security issue and it’s “not possible to fix the vulnerability with Web Application Firewall signatures.”Provider organizations should review the HC3 alert and Citrix security bulletin for details into remediation needs. Those ‘running affected builds” should review their inventory for these systems and prioritize the implementation of these patches and “set up audit logging to monitor for unauthorized activity on ADC or Gateway devices.”Citrix recommended organizations review the NSA alert for insights into the detection and mitigation of the tools used in these ongoing attacks. The guidance includes measures entities can take to look for possible artifacts specific to the ongoing activity against the affected Citrix platforms.NSA also share IOCs and YARA signatures that can detect malware the agency has observed threat actors using in this particular campaign.“Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems,” according to the NSA guidance. “Artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.”Further, if a compromise is detected, entities should shift all Citrix ADC instances behind a virtual private network or another tool that requires a valid user authentication before it’s allowed to access the ADC. The Citrix ADC appliances should also be isolated from the environment to contain any malicious activity, while restoring the affected platform to a known good state.The NSA added that even if an entity does not find any indications of malicious activity during its investigation, it’s imperative to verify that the organization is running current versions of Citrix ADC appliances. Those who find new discoveries or additional information should share it with the NSA.
The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.
Threat actors have exploited 159 CVEs during the first three months of 2025, compared with 151 during the last quarter of 2024, with almost a third of vulnerabilities leveraged in attacks within a day of their disclosure, according to The Hacker News.
Attacks involving ransomware were discovered by NCC Group to have totaled 600 in March which is 32% lower than in February but 46% higher than the same month last year with the month-to-month decline believed by NCC Head of Threat Intelligence Matt Hull to be a "red herring" after the recent surge in intrusions, Infosecurity Magazine reports.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
