Clarification: Rapid7 updated its post at 22:54 GMT on Oct. 20 regarding the cause of the Citrix ADM vulnerability, which was CVE-2022-27512, and not CVE-2022-27511.
Research released Tuesday by Rapid7 shows that a vulnerability in the Citrix Application Delivery Management (ADM) believed to have been patched in June is not sufficient to prevent exploitation.
Tracked as CVE-2022-27512, the root cause of the vulnerabilities is not Citrix ADM, but rather the implementation of popular licensing software FLEXlm, aka FlexNet Publisher. FLEXlm allows organizations to manage and share software licenses with multiple users. An application provisioning solution, Citrix ADM relies on the FlexNet software for license management.
Digging into the issues further after Citrix released an advisory and patch, Rapid7 said it found the patch didn’t prevent exploitation and could lead to a denial of service.
“The licensing server can be told to shut down (even with the patch),” wrote Rapid7’s Ron Bowes on its blog disclosing the vulnerability.
Rapid7 coordinated disclosure of its findings with Citrix and the CERT Coordination Center, and urged IT security teams to reach out to FlexNet Publisher’s maker, Revernera, and Citrix for guidance on mitigating the vulnerabilities.
See Rapid7’s blog post for more detailed information on the vulnerability.