Updates Since Previous Bulletin
- Technical details and proof-of-concept (PoC) exploit code were publicly released by watchTowr and Horizon3 in early July.
- CVE-2025-5777 was added to CISA’s Known Exploited Vulnerabilities Catalog on July 10. However, GreyNoise reports that exploitation occurred as early as two weeks before proof-of-concept exploit code was publicly available.
- Arctic Wolf has observed ongoing suspected exploitation attempts of CVE-2025-5777 beginning shortly after PoC exploit code was published
- Imperva has also reported observing 11.5 million exploitation attempts, with 40% targeting the financial services industry.
- According to security researcher Kevin Beaumont, the original commands provided by Citrix to clear ICA and PCoIP connections are insufficient to fully mitigate the vulnerability on compromised systems.
- RDP, AAA, and Load Balancing (LB) persistent sessions should also be terminated, as the original commands do not account for all session cookies leaked by CVE-2025-5777. This expanded guidance aligns with recommendations for the original Citrix Bleed vulnerability (CVE-2023-4966).
Summary
In late June 2025, Arctic Wolf issued a security bulletin addressing a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway that Citrix disclosed, tracked as CVE-2025-5777. This vulnerability affects NetScaler devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Although there were initial inconsistencies between the NIST National Vulnerability Database (NVD) and the Citrix Advisory, Citrix has since clarified that the NVD’s description—specifically regarding the vulnerability impacting the NetScaler Management Interface—was inaccurate, and confirmed that their advisory provides the most accurate information.
Due to its close similarity to Citrix Bleed (CVE-2023-4966), a critical information disclosure vulnerability disclosed in 2023, this vulnerability has been labeled “Citrix Bleed 2” in open-source reports. With exploitation confirmed in the wild and proof-of-concept exploit code now publicly available, CVE-2025-5777 is very likely to further attract increased threat actor attention.
Arctic Wolf has assessed our own environment for impact from this vulnerability and has determined that we are not affected.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version to mitigate CVE-2025-5777.
| Product | Affected Version | Fixed Version |
| NetScaler Gateway |
|
|
| NetScaler ADC |
|
|
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Note:
- NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Additionally, Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.
- Citrix has stated that only customer-managed NetScaler ADC and NetScaler Gateways are affected by the vulnerabilities. Cloud Software Group updates the Citrix-managed cloud services and Citrix-managed Adaptive Authentication to fixed versions.
Terminate ICA, PCoIP, RDP, AAA, and LB Persistent Sessions
In addition to Citrix’s recommendation to terminate all active ICA and PCoIP sessions, Arctic Wolf advises running additional commands to terminate RDP, AAA, and Load Balancing (LB) persistent sessions once all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds. This expanded guidance aligns with recommendations for the original Citrix Bleed vulnerability (CVE-2023-4966).
This process forcibly disconnects any existing user sessions potentially exposed by CVE-2025-5777, ensuring that compromised sessions established before the upgrade are closed and the risk of post-exploitation is reduced:
- kill icaconnection -all
- kill pcoipConnection -all
- kill rdp connection -all
- kill aaa session -all
- clear lb persistentSessions
References
- Citrix Advisory (CVE-2025-5777)
- CVE-2025-5777 Initial Scope Change
- CISA Adds CVE-2025-5777 to Known Exploited Vulnerabilities Catalog
- NetScaler CVE-2025-5777 Blog Post (Citrix Acknowledges Exploitation)
- watchTowr Findings
- Horizon3 Findings
- GreyNoise Observations
- Kevin Beaumont Article
- NetScaler CVE-2023-4966 Blog Post
- Arctic Wolf Original Security Bulletin (CVE-2025-5777)
