Citrix NetScaler Critical Vulnerabilities

CVE-2025-5777, also known as Citrix Bleed 2, is a critical vulnerability that affects NetScaler ADC and NetScaler Gateway systems when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. It is classified as an out-of-bounds read flaw (CWE-125) which allows an attacker to read memory on an affected device, granting access to sensitive data. Similar to the previous CitrixBleed vulnerability (CVE-2023-4966), it may allow unauthorized attackers to extract valid session tokens from the memory of internet-facing NetScaler devices. These session tokens can be used to bypass multi-factor authentication (MFA) and enable the attacker to take over authenticated sessions. The vulnerability is exploitable over the network without any privileges or user interaction, earning it a Critical CVSS v4.0 base score of 9.3. CVE-2025-6543 is a critical vulnerability that impacts NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. It is classified as a memory overflow issue (CWE-119) that can lead to unintended control flow and denial of service (DoS) in affected systems. It carries a Critical CVSS v4.0 base score of 9.2. The high CVSS rating suggests that the impact may extend beyond DoS, potentially allowing for more severe implications. Devices that remain unpatched are at risk of being breached. CVE-2025-5349 is a high-severity vulnerability that affects NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). An adversary with access to the Network Services IP (NSIP), Cluster Management IP, or local Global Server Load Balancing (GSLB) Site IP could exploit this flaw to gain unauthorized access to critical management functions. This vulnerability stems from improper access control on the NetScaler management interface. It has been assigned a CVSS v4.0 base score of 8.7 (High). For CVE-2025-5349 and CVE-2025-5777, there are no workarounds available. Citrix has released software updates to address them. For NetScaler ADC and NetScaler Gateway versions prior to 13.1-58.32, users should upgrade to 13.1-58.32 or later releases of 13. For versions prior to 14.1-43.56, users should upgrade to 14.1-43.56 or later releases (or the corresponding FIPS-compliant releases). For CVE-2025-6543, there are also no workarounds available. Citrix has released software updates to address it. For NetScaler ADC and NetScaler Gateway prior to 13.1-59.19, users should upgrade to 13.1-59.19 and later releases of 13.1. For versions prior to 14.1-47.46, users should upgrade to 14.1-47.46 and later releases of 14.1. After applying the updates, Citrix recommends terminating all active ICA and PCoIP sessions by running the following commands: kill icaconnection -all kill pcoipConnection -all Recommended next steps include reviewing the current versions of all Citrix NetScaler ADC appliances deployed in the environment to identify any that are vulnerable. Patch any affected appliances without delay to remediate the vulnerabilities. Follow Citrix's official recommendation to end all active ICA and PCoIP sessions after updating the devices. This step helps prevent access using any session tokens that may have already been compromised. According to the Citrix Cloud Software Group blog post, customers should contact Citrix customer support for updates on IoCs. Integrate Palo Alto Cortex with Vega to extend the coverage of the applied detections across the entire environment. Perform a targeted threat-hunting exercise to assess whether any of the vulnerabilities were exploited before the patches were applied.