Citrix ADM Incident; 3 Lessons Industry can Learn


Sanjay Yadav

June 24, 2022

A critical vulnerability in Citrix's Application Delivery Management (ADM) technology was reported & patched this week. 

Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)


Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances. 

Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).

As a best practice, admins change the default passwords to restrict unauthorised access.

Image Source - Citrix Documents

Citrix has documented various means to restore default admin password by resetting ADM node. 

With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.

The Problem

Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials. 

We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.

This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options. 

Here are a few learnings from suh incidents that we can draw & work for better securing our systems.

Lession 1 : Restrict Remote Access by Default

By default remote access to admin accounts of devices/appliances should be restricted.  Since restoration of default credentials at any time will make system vulnerable to unauthorised access.

Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent. 

This we can see very commonly in Ubuntu, a debian based system.

Extracts from /etc/ssh/sshd_config file from a Ubuntu 22.4

Lesson 2 : Federate Authentication

Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.

Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.

Lesson 3 : Eliminate Passwords

Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security. 

Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.

PureAUTH Identity and Trust Platform

Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.

To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box