Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Royal ransomware group actively exploiting Citrix vulnerability | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Royal ransomware group is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.

There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay’s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it. Royal, which is considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.

How the Royal ransomware group exploits CVE-2022-27510

As soon as the Citrix vulnerability was published, the At-Bay cyber research team began assessing the magnitude of the risk and identifying businesses that might be exposed, wrote Adi Dror, At-Bay cyber data analyst, in a report. “Data from our scans, information gleaned from claims data, and other intelligence gathered by our cyber research team point to the Citrix vulnerability CVE-2022-27510 as the initial point of access utilized by the Royal ransomware group to launch a recent ransomware attack,” he added.

The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities seen in the past, Dror continued. It appears Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorized access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks. “Exploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups – especially critical infrastructure servers like those provided by Citrix. However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.”

The following versions of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, according to Dror:


Affected Versions

Fixed Versions

Citrix ADC and Citrix Gateway 13.1

Before 13.1-33.47

 13.1-33.47 and later

Citrix ADC and Citrix Gateway 13.0

Before 13.0-88.12

13.0-88.12 and later

Citrix ADC and Citrix Gateway 12.1 

Before 12.1-65.21      

12.1-65.21 and later

Citrix ADC 12.1-FIPS

Before 12.1-55.289

12.1-55.289 and later

Businesses using any of the affected Citrix products are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix. “Even for clients who have not received a Security Alert, it’s important for them to check if they’re running vulnerable products and patch immediately,” Dror stated.

Copyright © 2023 IDG Communications, Inc.


Click Here For The Original Source.

National Cyber Security