Chinese Hackers Exploiting Bug in Citrix ADC Gateway Products

April 6, 2023

The NSA issued an advisory alerting companies of a Chinese hacking group exploiting a critical bug in Citrix ADC Gateway products. This vulnerability allows cybercriminals to circumvent authentication controls and gain access to victims’ systems without credentials.

Citrix issued an emergency patch Tuesday to address the vulnerability, which it identified as CVE-2022-27518. According to the company, only limited exploits of this flaw have been reported.


Chinese state-backed hacking group APT5 is taking advantage of a bug in Citrix ADC Gateway products to steal sensitive data, disrupt operations and distribute ransomware. The National Security Agency (NSA) has issued threat hunting guidance for detecting this activity and preventing it.

Citrix issued a warning Tuesday regarding CVE-2022-27518, a zero-day vulnerability that could allow an unauthenticated attacker to execute arbitrary code on appliances configured as SAML service provider or identity provider (SAML SP or IdP). With its CVSS score of 9.8, this vulnerability has been rated Critical.

Citrix reported on Tuesday that it is aware of a limited number of targeted attacks using this vulnerability, but is still working to identify all impacted systems and protect them from further attacks. As a result, Citrix released an emergency patch on Tuesday which fixed the flaw.


Citrix recently issued an emergency patch to address a critical vulnerability (CVE-2019-19781) in their Citrix ADC and Gateway products that can be exploited by an attacker to gain remote code execution on vulnerable servers. According to Citrix, this vulnerability is being actively exploited by threat actors and may lead to the theft of sensitive data.

This vulnerability affects Citrix ADC and Gateway Virtual Appliances that are hosted on any of the following hosts: Citrix Hypervisor, ESX, KVM, Azure, AWS or GCP; it also impacts Citrix Virtual Apps and Desktops products.

Security researchers at FireEye have recently observed an unusual pattern in exploit attempts against Citrix ADC and Gateway hosts. These included opportunistic scanning and exploit, as well as cleaning up previous malware infections and installing a backdoor called NOTROBIN on these hosts. These attacks were undetected by conventional sandbox techniques and relied on the attacker’s ability to craft opportunistic attack traffic that bypassed web application firewalls and other protections.


The NSA has warned that Chinese hackers are exploiting a critical flaw in Citrix ADC Gateway products to gain access to systems. The vulnerability, CVE-2019-19782, allows an unauthenticated attacker to remotely execute code without needing to steal passwords.

Citrix issued an emergency patch for the flaw on Monday, urging customers to install it immediately. It also noted that there have been a few targeted attacks using this issue in the wild.

Citrix did not disclose how many users have been affected by this bug, but NSA and CISA released an advisory [PDF] Tuesday detailing recent attacks carried out by APT5 that have been linked to Chinese interests since 2007. Citrix did not provide further details about attribution or how many users may have been affected, but Citrix acknowledged APT5 has been targeting their product in recent attacks.

The NSA recommends organizations move all Citrix ADC appliances behind a VPN, ideally using standardized protocols, that require user authentication before access. Doing this would mitigate zero-day attacks by making it harder for malicious actors to compromise these devices.


The National Security Agency recently alerted about a Chinese hacking group using an exploit in Citrix ADC Gateway products, known as CVE-2019-19783. This vulnerability allows an unauthenticated attacker to perform arbitrary code execution.

NSA recently confirmed that APT5, also known as UNC2630 or MANGANESE, is targeting Citrix ADC deployments with this flaw. To avoid attacks from occurring, corporate defenders were advised to move Citrix ADC instances behind VPN or implement multi-factor authentication measures.

In addition to the zero-day exploit, NSA reported that hackers are also exploiting a recently patched Exim Mail Transfer Agent (MTA) vulnerability in Russia to attack government organizations. It serves as a reminder that while many organizations focus on innovation and new technologies, their services like SMTP remain vulnerable on the Internet.


The National Security Agency is warning of an urgent zero-day vulnerability in Citrix ADC Gateway products being exploited by Chinese hackers. This flaw, tracked as CVE-2019-19784, allows remote code execution without authentication.

According to the NSA, attackers linked to Chinese groups have been targeting several flaws in Citrix ADC.

Administrators should make sure their Citrix ADC, as well as other Citrix software, are up-to-date. Furthermore, the National Security Agency (NSA) suggests isolating Citrix ADC appliances from networks in order to protect against malicious activity.

Another critical piece of recommending behavior for defenders to watch out for is an RCE bug in F5 BIG-IP proxy/load balancer devices (CVE-2020-5902). Although this vulnerability was patched by the company last June, foreign adversaries have been exploiting it in the wild. This flaw allows attackers to intercept, redirect and decrypt web traffic with ease.


The National Security Agency (NSA) has observed Chinese hacking group APT5 using a zero-day vulnerability in Citrix ADC Gateway products to breach networks, the agency warns. This attack has already been observed in “limited” instances, according to the security firm.

The NSA notes that APT5, also known as Manganese, has been active since at least 2007. It is believed to be working on behalf of China’s military and government.

Citrix ADC attacks have recently leveraged an unauthenticated remote code execution vulnerability, CVE-2019-19785, that can be exploited to access an ADC’s internal network and control devices.

Citrix customers were advised by both NSA and CISA to patch their software immediately. Citrix further recommended that users move their ADCs behind a VPN and implement multi-factor authentication, in an effort to further mitigate this vulnerability, the company stated.


NSA warns that a Chinese hacking collective supported by the Chinese state is taking advantage of an important vulnerability in Citrix ADC Gateway products to gain access to networks. Despite patches issued by Citrix in December last year, public proof-of-concept exploit code has already surfaced.

Citrix has issued a patch to address CVE-2019-19786, which could allow an attacker to execute malicious software on a device. They urge affected customers to upgrade their systems immediately in order to take advantage of this fix.

Today, the NSA issued another security advisory regarding active exploitation by APT5 (also known as Manganese) of Citrix ADC and Gateway devices. While lacking in specifics, the advisory lists indicators of compromise and YARA signatures to help defenders locate compromised systems.


On Tuesday, the National Security Agency and Citrix released an advisory alerting companies of Chinese hackers exploiting a zero-day vulnerability in their Application Delivery Controller (ADC) Gateway products. If successful, this flaw could allow an attacker to circumvent authentication controls and execute code on the affected device.

Mandiant Security reports that APT5, commonly referred to as “Manganese,” has been targeting networks running Citrix applications since at least 2007. It’s believed to be specifically targeting ADC deployments in order to gain unauthorized access without needing to steal credentials through traditional or cyberattacks.

On Tuesday, Citrix issued an emergency patch to address the vulnerability. However, both NSA and CISA warn that malicious actors are still exploiting it.


Chinese hackers have been identified as APT5 and they are actively targeting Citrix systems with a zero-day bug. Citrix ADC Gateway products are vulnerable to this vulnerability, leaving the US National Security Agency (NSA) concerned. The advisory states that APT5 is actively exploiting Citrix systems.

According to the NSA, APT5 has been engaged in cyberattacks against telecommunications and technology companies since 2007. They have used vulnerabilities found in FortiOS SSL-VPN and Pulse Secure VPN servers as part of their attacks.

Citrix issued a patch for this vulnerability on Tuesday and has urged affected customers to upgrade immediately. The vulnerability, identified as CVE-2022-27518, allows an attacker to bypass authentication in order to execute arbitrary code on an appliance.


The US National Security Agency has detected evidence of a malicious hacking group supported by China’s state exploiting an exploit in Citrix ADC Gateway products, tracked as CVE-2022-27518. This flaw allows remote execution of code on vulnerable devices without password protection, giving hackers complete control over affected systems.

This vulnerability affects both application delivery controller (ADC) and gateway tool, both of which are widely used in enterprise networks. According to NSA, APT5, which is suspected to be linked with UNC2630 and MANGANESE, is actively exploiting this flaw.

Citrix quickly released an emergency patch to address the vulnerability and is urging customers to upgrade their applications immediately. It noted that while there have been a few attacks exploiting this flaw, the number of affected organizations remains small. Citrix declined to specify which industries are affected or how many organizations have been affected by it.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us