Citrix released a new Critical Security Bulletin today that affects the Application Delivery Manager appliance and its agents. It does not directly affect the Application Delivery Controller (ADC) (formerly known as NetScaler). This vulnerability requires access to the management IP of the appliance, so your risk is limited provided you are not permitting access to the appliance from the internet. The more preferred method is to limit your management traffic to its own subnet. This vulnerability could result in the resetting of the appliance’s password, which then would grant control of the appliance and any ADCs that are administratively connected to it.

The fixes are to immediately limit access to the management IP address as much as possible, and to then apply the latest firmware update listed in the article linked below. If you are running any version of the appliance prior to 13.0, they are no longer supported. They are vulnerable, so please update the appliance to at least the 13.0 version. The appliance version and the ADC version do not need to match. The ADM is backward compatible with prior versions of firmware.

If you need assistance in getting the problem mitigated, please contact our support desk at support@conversantgroup.com and we will make arrangements for someone to assist you.

The support article can be found here:

https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512