Security Announcement:

Citrix ADC and Citrix Gateway Vulnerability (CVE-2022-27509)
Malicious Website Redirects

July 27, 2022

What are the Security Issues?

A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website.

This vulnerability has the following identifier:

CVE-ID Description CWEPre-conditions
CVE-2022-27509Unauthenticated redirection to a malicious websiteCWE-345: Insufficient Verification of Data Authenticity* Appliance must be configured as a VPN (Gateway) or AAA virtual server

** A victim user must use an attacker-crafted link

Which Product or Version are Impacted?

Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:

  • Citrix ADC and Citrix Gateway 13.1-24.38 and later releases
  • Citrix ADC and Citrix Gateway 13.0-86.17 and later releases of 13.0 
  • Citrix ADC and Citrix Gateway 12.1-65.15 and later releases of 12.1 
  • Citrix ADC 12.1-FIPS 12.1-55.282 and later releases of 12.1-FIPS 
  • Citrix ADC 12.1-NDcPP 12.1-55.282 and later releases of 12.1-NDcPP

What do Citrix customers need to do?

Note: Customers who have previously copied the httpd.conf file to the /nsconfig directory must follow the steps at URL to ensure this security update is correctly installed.

Contact Cornerstone.IT with any questions or assistance regarding this update.


Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509