CVE-2025-5777 and CVE-2025-6543: Dual Citrix NetScaler Vulnerabilities Demand Immediate Action

Two critical vulnerabilities have been disclosed impacting Citrix NetScaler ADC and NetScaler Gateway products: CVE-2025-5777 and CVE-2025-6543. While both pose significant risks to enterprise infrastructure, CVE-2025-6543 is currently under active exploitation. CVE-2025-5777, dubbed “CitrixBleed 2” is a potential follow-up to the original “CitrixBleed” (CVE-2023-4966), which was extensively exploited by ransomware gangs and other cybercriminals. New reports are mentioning CVE-2025-5777 as being potentially exploited in the wild.

Threat alert
June 27, 2025

Two critical vulnerabilities have been disclosed impacting Citrix NetScaler ADC and NetScaler Gateway products: CVE-2025-5777 and CVE-2025-6543. While both pose significant risks to enterprise infrastructure, CVE-2025-6543 is currently under active exploitation. CVE-2025-5777, dubbed “CitrixBleed 2” is a potential follow-up to the original “CitrixBleed” (CVE-2023-4966), which was extensively exploited by ransomware gangs and other cybercriminals. New reports are mentioning CVE-2025-5777 as being potentially exploited in the wild.

Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are widely deployed components in enterprise networks, providing critical functions such as load balancing, application delivery, and secure remote access (VPN, ICA Proxy).  

CVE-2025-5777 is an Insufficient Input Validation vulnerability that leads to an Out-of-Bounds Read, which could allow an unauthorised attacker to read sensitive memory contents from NetScaler devices.

The vulnerability impacts NetScaler devices when configured as a Gateway (such as a VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or an AAA virtual server. This configuration is notably “an extremely common setup in large organisations”.  

Primary impact is the potential for attackers to read session tokens or other sensitive information directly from memory, therefore enabling impersonation an authenticated user, effectively bypassing multi-factor authentication (MFA) mechanisms.

Affected Products and Specific Versions

The vulnerability affects specific builds of NetScaler ADC and NetScaler Gateway. Affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-43.56.
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-58.32.
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235.
  • NetScaler ADC 12.1-FIPS before 12.1-55.328.

Additionally, Secure Private Access (SPA) on-prem or SPA Hybrid deployments utilising NetScaler instances are also impacted by this vulnerability.

Recommended Patches

Citrix (Cloud Software Group) strongly advises upgrading impacted NetScalers to builds that include the fix as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases.
  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases.
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases.
  • NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases.

Crucially, after deploying the fixed versions, organisations must execute specific commands to terminate all active ICA and PCoIP sessions.

These commands are:

kill icaconnection -all

kill pcoipConnection –all

This step is vital to ensure that any potentially compromised sessions established  prior to the patch, due to the information disclosure nature of CVE-2025-5777, are terminated. This action prevents attackers from using stolen tokens to maintain persistent access and bypass MFA.For High Availability (HA) deployments, these commands should be executed on the Primary active node, while for cluster deployments, they are required on each node.

CVE-2025-6543 is categorised as a Memory Overflow vulnerability which leads to unintended control flow and ultimately a Denial of Service (DoS) condition.Similar to CVE-2025-5777, it affects NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. The vulnerability stems from improper bounds checking within memory handling routines. This allows attackers to send crafted inputs that overflow internal buffers, potentially altering the application’s control flow and resulting in service termination.

Affected Products and Specific Versions

The vulnerability affects specific builds of NetScaler ADC and NetScaler Gateway. Affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46.
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19.
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

It is critical to note that End-of-Life (EOL) NetScaler ADC and Gateway versions 12.1 and 13.0 are also affected by this vulnerability. However, NetScaler ADC 12.1-FIPS is specifically stated as not affected by CVE-2025-6543. Secure Private Access (SPA) on-prem or SPA Hybrid deployments using NetScaler instances are also affected.

Recommended Patches and Urgent Mitigation

Citrix has released emergency patches to address this flaw. The recommended updated versions are:

  • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases.
  • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases.
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases.