Date Issued: 23 June 2025
Severity: Critical (CVSS v4 Score: 9.3)
Affected Product: Citrix NetScaler ADC / Gateway
Vulnerability ID: CVE-2025-5777
Exploitation Status: No confirmed active exploitation (as of advisory release)
Summary
Citrix has disclosed a critical vulnerability (CVE-2025-5777) affecting NetScaler ADC and Gateway appliances when configured as:
- A Gateway (VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy), or
- An AAA Virtual Server.
This flaw arises from insufficient input validation, allowing unauthenticated attackers to remotely trigger out-of-bounds memory reads, potentially leaking sensitive data, such as session tokens, cryptographic keys, PII, memory address from process memory.
Given its similarity to the previously exploited CitrixBleed (CVE-2023-4966), this vulnerability is considered high-risk for session hijacking and bypass of multi-factor authentication (MFA).
Technical Details
- Type: Out-of-bounds memory read
- Impact: Memory disclosure (session hijacking risk)
- Trigger: Crafted network requests to vulnerable virtual servers
- Authentication Required: No
Affected Versions
Net Scaler Version |
Fixed In |
14.1 |
14.1-43.56 or later |
13.1 |
13.1-58.32 or later |
13.1-FIPS / NDcPP |
13.1-37.235 or later |
12.1-FIPS (EOL) |
12.1-55.328 or later |
Note: NetScaler ADC and Gateway version 12.1 and 13.0 is end-of-life and are vulnerable. Organizations are strongly advised to upgrade to supported versions that address the vulnerabilities.
Risk & Impact
- Leaked memory may contain:
- Active authentication/session tokens
- Other sensitive user data
- Cryptographic keys
- Attackers can use these tokens to hijack sessions and potentially bypass authentication mechanisms, including MFA.
- The vulnerability is trivial to exploit using crafted requests and may already be undergoing scanning in the wild.
Recommended Actions
- Patch Immediately
Upgrade all NetScaler ADC and Gateway systems to the latest fixed builds as listed above.
- Revoke Active Sessions Post-Upgrade
After applying patches, manually run the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds.
kill icaconnection -all
kill pcoipConnection -all
Repeat this on all nodes in HA or clustered deployments.
- Monitor & Hunt
- Review NetScaler logs for anomalous Gateway or AAA activity.
- Monitor for brute force or malformed requests to /vpn/ or /aaa/ endpoints.
- Scan externally accessible appliances for unauthorized access.
- Consider Additional Hardening
- Enforce reauthentication or token rotation where possible.
- Use Web Application Firewalls (WAF) or IDS/IPS to detect exploit attempts.
References
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.