Skip to main content

Citrix Releases Critical Security Updates for NetScaler ADC and NetScaler Gateway

Exploitation could allow attackers to read memory from NetScaler Gateway or AAA virtual server, potentially exposing sensitive information such as session tokens. CVE-2025-5777 is similar to CitrixBleed (CVE-2023-4966).  

Threat ID:
CC-4670
Threat Severity:
High
Published:
17 June 2025 4:13 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation could allow attackers to read memory from NetScaler Gateway or AAA virtual server, potentially exposing sensitive information such as session tokens. CVE-2025-5777 is similar to CitrixBleed (CVE-2023-4966).  

Threat details

End-of-life (EoL) products still vulnerable

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Organisations using EoL versions should upgrade to the latest release of supported versions as soon as possible. 

Additionally, Secure Private Access on-premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Organisations should upgrade NetScaler to the latest release of supported versions as soon as possible. 

CVE-2025-5777 is similar to "CitrixBleed" (CVE-2023-4966)

CVE-2025-5777 could allow remote unauthenticated attackers to read memory from NetScaler Gateway or AAA virtual servers, potentially exposing sensitive information such as session tokens. Attackers could use these tokens to hijack existing sessions, allowing access into the network, bypassing authentication controls such as multi-factor authentication (MFA). 

CVE-2025-5777 is similar to "CitrixBleed" (CVE-2023-4966), for which the NHS England National CSOC published a high severity Cyber Alert CC-4392 in October 2023.  CitrixBleed was heavily exploited by ransomware groups shortly after disclosure. The NHS England National CSOC assesses exploitation in the near future as highly likely. 

Introduction

Citrix has released a critical security bulletin addressing two vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Citrix NetScaler is an all-in-one load balancer, web application firewall (WAF), virtual private network (VPN) gateway and SSL offloading tool for web applications.

Vulnerability Details

  • CVE-2025-5777 is an 'out-of-bounds read' vulnerability with a CVSSv4 base score of 9.3. Successful exploitation could allow a remote unauthorised attacker to read memory containing sensitive information such as session tokens. Attackers could use these tokens to hijack existing sessions, allowing access into the network, bypassing authentication controls such as multi-factor authentication (MFA). NetScaler is only vulnerable to CVE-2025-5777 when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. 
  • CVE-2025-5349 is an 'improper access control' vulnerability with a CVSSv4 base score of 8.7. If exploited, an attacker with access to NSIP, Cluster Management IP or local GSLB Site IP could gain unauthorised access to NetScaler Management Interface

Threat updates

Date Update
25 Jun 2025 Escalated to High Severity
  • Title updated to reflect the critical severity.
  • Future exploitation of CVE-2025-5777 assessed as highly likely. 
  • CVE-2025-5777 updated to reflect 'NetScaler Management Interface' removed from the CVE description.
  • Added 'Vulnerability Details'.
  • 'Remediation Advice' updated.

Remediation advice

Affected organisations must review Citrix Security Bulletin CTX693420 and complete the remediation steps detailed below.

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Organisations using EoL versions must upgrade to the latest release of supported versions as soon as possible. 

Remediation steps

Type Step
Patch

Organisations must update NetScaler to one of the versions below:

  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
  • NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
Action

Organisations must run the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds:

kill icaconnection -all

kill pcoipConnection -all

Please ensure that the formatting remains intact as you copy and paste these commands.


https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777

Last edited: 25 June 2025 11:54 am