• United States



UK Editor

Royal ransomware group actively exploiting Citrix vulnerability

Jan 13, 20233 mins

At-Bay cyber research team believes the Royal ransomware group is actively exploiting critical Citrix system security flaw CVE-2022-27510.

ransomware attack
Credit: undefined undefined / Getty Images

The Royal ransomware group is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.

There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay’s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it. Royal, which is considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.

How the Royal ransomware group exploits CVE-2022-27510

As soon as the Citrix vulnerability was published, the At-Bay cyber research team began assessing the magnitude of the risk and identifying businesses that might be exposed, wrote Adi Dror, At-Bay cyber researcher, in a report. “Data from our scans, information gleaned from claims data, and other intelligence gathered by our cyber research team point to the Citrix vulnerability CVE-2022-27510 as the initial point of access utilized by the Royal ransomware group to launch a recent ransomware attack,” she added.

The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities seen in the past, Dror continued. It appears Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorized access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks. “Exploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups – especially critical infrastructure servers like those provided by Citrix. However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.”

The following versions of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, according to Dror:


Affected Versions

Fixed Versions

Citrix ADC and Citrix Gateway 13.1

Before 13.1-33.47

 13.1-33.47 and later

Citrix ADC and Citrix Gateway 13.0

Before 13.0-88.12

13.0-88.12 and later

Citrix ADC and Citrix Gateway 12.1 

Before 12.1-65.21      

12.1-65.21 and later

Citrix ADC 12.1-FIPS

Before 12.1-55.289

12.1-55.289 and later

Businesses using any of the affected Citrix products are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix. “Even for clients who have not received a Security Alert, it’s important for them to check if they’re running vulnerable products and patch immediately,” Dror stated.

Royal ransomware group an active, evasive threat to businesses

The Royal group significantly ramped up its operations in the closing months of 2022 and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. “Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe,” researchers from security firm Cybereason said in a recent report.

The group’s tactics bear similarities to those of Conti, prompting suspicion that it’s partly made up of former members of the infamous group that shut down in May 2022. The Royal group is known to use phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution. Initial access is typically followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload. The tactics used by Royal allow for the group to evade detection with partial encryption.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author