Revelation of a severe weakness in the Citrix Netscaler system forebodes a possible surge of exploitation attempts
Two critical vulnerabilities, CVE-2025-5777 and CVE-2025-6543, have been disclosed in Citrix NetScaler ADC and Gateway appliances. These vulnerabilities, which have been actively exploited, pose a significant threat to numerous internet-connected devices as of August 2025.
CVE-2025-5777 (CitrixBleed 2)
Affecting NetScaler ADC and Gateway appliances, CVE-2025-5777 is an out-of-bounds memory read vulnerability due to insufficient input validation. This can potentially lead to data leakage or exploitation. To mitigate this risk, users should upgrade their NetScaler instances to the latest release and build that contains the patch, using the Citrix NetScaler Console upgrade workflow. Additionally, configuration commands should be applied through customizable built-in configuration templates in configuration jobs, as guided by Citrix documentation.
Over 3,300 devices worldwide remain vulnerable, with this vulnerability having been actively exploited, including in critical infrastructure organizations in the Netherlands.
CVE-2025-6543
CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway, allowing unintended control flow manipulation, denial-of-service (DoS) attacks, and remote code execution via web shells. To address this vulnerability, users should apply the latest security updates provided by Citrix immediately. Additionally, all active and permanent sessions on NetScaler should be terminated by running commands such as , , , , and .
Furthermore, users are advised to use provided shell scripts by the Dutch NCSC to hunt for indicators of compromise, such as suspicious files in system folders and unauthorized newly created accounts with privileges. This vulnerability was exploited as a zero-day since at least early May 2025, leading to significant breaches in critical Dutch organizations.
Versions Affected
Citrix has not publicly listed exact version cutoffs for the affected products. However, typically, vulnerabilities labeled in NetScaler ADC and Gateway impact all versions prior to the patched release builds released around June-July 2025. Users must verify upgrade paths in official Citrix advisories and patch their instances accordingly.
Additional Information
- The U.S. CISA has ordered federal agencies to secure systems against these vulnerabilities rapidly.
- Shadowserver Foundation data shows thousands of vulnerable appliances still accessible on the internet, indicating an urgent need for patching.
- Organizations are advised to scan for compromise signs and terminate ongoing sessions even after patching to prevent persistent threats.
- Cloud Software Group has recommended that all customers immediately upgrade to secure versions of Netscaler ADC and Netscaler Gateway.
- Officials from the Australian Signals Directorate have urged security teams to immediately upgrade their systems to secure versions of the two products.
- Security researchers have expressed concerns about the potential for hackers to launch attacks rivaling or surpassing the exploitation seen during the "CitrixBleed" crisis in 2023.
- The memory overflow vulnerability could lead to unintended control flow and denial of service in Netscaler ADC and Netscaler Gateway when configured as Gateway.
- The Cybersecurity and Infrastructure Security Agency has urged critical infrastructure organizations to adopt the use of memory-safe programming languages.
- Citrix has issued a security bulletin on its help site regarding the vulnerabilities in Netscaler ADC and Netscaler Gateway.
- Benjamin Harris, CEO at watchTowr, has compared CVE-2025-5777 to the CitrixBleed vulnerability, which caused significant issues for end-users of Citrix Netscaler appliances in 2023.
In essence, the recommended action is to immediately upgrade all NetScaler ADC and Gateway devices to the fixed versions announced by Citrix, apply the configuration fixes, and run mitigation commands for active session termination and threat hunting, as both CVE-2025-5777 and CVE-2025-6543 remain actively exploited and highly critical vulnerabilities.
