A Chinese state-sponsored threat actor is actively exploiting a zero-day vulnerability in Citrix Application Delivery Controller (ADC) and Gateway solution to compromise affected systems, the US National Security Agency (NSA) has warned.

The said zero-day is tracked as CVE-2022-27518 and allows an unauthenticated attacker to execute commands remotely on vulnerable devices and hijack them. The bug affects the following versions: Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32; Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25; Citrix ADC 12.1-FIPS before 12.1-55.291; Citrix ADC 12.1-NDcPP before 12.1-55.291. Citrix ADC and Citrix Gateway version 13.1 is unaffected.

It should be noted that only Citrix ADCs and Citrix Gateways that are configured as a SAML SP (service provider) or a SAML IdP (identity provider) are at risk.

The malicious activity has been attributed to a China-based hacker group known as APT5, UNC2630, or Manganese. Believed to have been active since at least 2007, the group is focused on telecommunications and technology companies, particularly regional telecom providers, high-tech manufacturers, firms specializing in technology with military applications, and Asia-based employees of global tech companies. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure.

“APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments (“Citrix ADCs”). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” the NSA said in its threat hunting guidance.

The advisory provides information on detecting if a device has been exploited and recommendations on securing Citrix ADC and Gateway appliances, as well as indicators of compromise, including YARA signatures related to the attacks.