Citrix released builds to fix CVE-2022-27518, which affects the following Citrix ADC (formerly NetScaler) and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.
The vulnerability has very high CVSS scores due to the potential for unauthenticated remote code execution risk and an attacker could exploit this vulnerability to bypass authentication and execute arbitrary code. This vulnerability has been exploited in the wild. Citrix announced that they are aware of a small number of targeted attacks in the wild using this vulnerability.
CISA published a guide for detection and mitigation guide for the vulnerability because it has seen that APT5 and UNC2630 threat groups use this vulnerability in the wild.
APT5 is a threat group has been tracked since 2014 by Mandiant and supported by Chinese government. The actor mostly focused on highly sensitive data theft from aerospace and defense organizations in US, Europe and Asia.