On 23 June 2025, Citrix updated the scope of a previously disclosed vulnerability—CVE-2025-5777—to clarify that it affects NetScaler devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. CVE-2025-5777, originally disclosed on 17 June, is a critical-severity out-of-bounds read caused by insufficient input validation. It has been labeled “Citrix Bleed 2” in open-source reporting due to its close similarity to Citrix Bleed (CVE-2023-4966), a critical information disclosure vulnerability disclosed in 2023.
The advisory also disclosed a high-severity vulnerability, CVE-2025-5349, involving improper access control on the NetScaler management interface.
Although Arctic Wolf has not observed in-the-wild exploitation of CVE-2025-5777 or identified a publicly available proof-of-concept (PoC) exploit at this time, the vulnerability is likely to attract threat actor attention due to its strong similarity to CVE-2023-4966. Several high-profile organisations, including the Industrial and Commercial Bank of China (ICBC) and Boeing, were targeted by ransomware affiliates exploiting CVE-2023-4966 in 2023.
CVE-2025-6543
Additionally, a separate critical vulnerability (CVE-2025-6543) impacting NetScaler was disclosed today. This memory overflow vulnerability can lead to unintended control flow and cause Denial of Service (DoS). Citrix has confirmed observed exploitation of this vulnerability in the wild on unmitigated appliances.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Vulnerability | Affected Version | Fixed Version |
| NetScaler Gateway | CVE-2025-5349, CVE-2025-5777 |
|
|
| NetScaler Gateway | CVE-2025-6543 |
|
|
| NetScaler ADC | CVE-2025-5349, CVE-2025-5777 |
|
|
| NetScaler ADC | CVE-2025-6543 |
|
|
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
For CVE-2025-5777 and CVE-2025-5349: Citrix also recommends running the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds. This will forcibly disconnect any existing user sessions using ICA or PCoIP, ensuring that potentially compromised sessions established prior to the upgrade are closed and reducing post-exploitation risk:
- kill icaconnection -all
- kill pcoipConnection -all
Note:
- NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Additionally, Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.
- Citrix has stated that only customer-managed NetScaler ADC and NetScaler Gateways are affected by the vulnerabilities. Cloud Software Group updates the Citrix-managed cloud services and Citrix-managed Adaptive Authentication to fixed versions.
References
Resources
