Thousands of Citrix ADC and Gateway servers remain vulnerable to two major vulnerabilities fixed recently.

The first CVE-2022-27510 was fixed on November 8 and represents an authentication bypass affecting both Citrix products.

An attacker can use it to gain unauthorized access to a device, hijack a remote desktop, or bypass security to log in.

The second bug tracked as CVE-2022-27518 was disclosed and fixed on December 13. It allows unauthorized attackers to remotely execute commands on vulnerable devices and gain control over them.

The attackers were already actively using it at the time when Citrix released the fixes.

Despite the released updates, Fox NCC Group resellers report that thousands of deployments remain vulnerable to attacks.

On November 11, 2022, Fox specialists scanned the global network and found a total of 28,000 Citrix servers on the network.

Based on the results of comparing product versions, as of December 28, 2022, they found that most users use version 13.0–88.14, which is not affected by bugs. 

The second most popular version was 12.1-65.21, which is vulnerable to CVE-2022-27518 under certain conditions, identified on 3,500 endpoints.

In order for them to be attacked, a SAML SP or IdP configuration is required, which means that not all 3500 systems were vulnerable to CVE-2022-27518.

In addition, there are more than 1,000 servers vulnerable to CVE-2022-27510, and approximately 3,000 endpoints potentially vulnerable to both critical errors.

The third place was taken by deployments that return hashes with unknown Citrix version numbers. There are more than 3,500 servers, which may or may not be vulnerable to any vulnerability.

As for the speed of patch installation, the resellers note the prompt reaction of users in the USA, Germany, Canada, Australia and Switzerland to the publication of relevant security recommendations.

In general, Fox statistics show that many companies still have a lot of work to do to eliminate all security gaps, as well as hackers, who still have a large enough gap to plan and carry out attacks.