Post

Critical Citrix NetScaler Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities catalog. Learn about the impact, affected versions, and mitigation steps.

Posted
By Tom Grant
3 min read
Critical Citrix NetScaler Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Citrix NetScaler ADC and Gateway, known as CVE-2025-5777 or ‘CitrixBleed 2’, to its Known Exploited Vulnerabilities catalog. This flaw allows unauthenticated attackers to steal session cookies, posing a significant security risk. Affected organizations should update their systems immediately to mitigate this threat.

Critical Citrix NetScaler Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog 1. This flaw, tracked as CVE-2025-5777 and dubbed ‘CitrixBleed 2’, has a CVSS v4.0 base score of 9.3, indicating a high severity 2.

Impact and Details

The CVE-2025-5777 vulnerability is an insufficient input validation issue leading to memory overread. It affects NetScaler devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This flaw allows unauthenticated attackers to steal session cookies, similar to a past critical exploit known as CitrixBleed 3.

Affected Versions

The vulnerability impacts the following supported versions of NetScaler ADC and NetScaler Gateway:

  • NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-43.56
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-58.32
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP

Similarities to Previous Vulnerabilities

Security researcher Kevin Beaumont highlighted similarities between CVE-2025-5777 and the previous vulnerability CVE-2023-4966, also known as Citrix Bleed 4. Beaumont noted that the new flaw allows attackers to read memory from NetScaler devices, which can include sensitive information such as session tokens. These tokens can be replayed to steal Citrix sessions, bypassing multi-factor authentication (MFA) 5.

Mitigation Steps

Citrix has also addressed a second high-severity flaw, tracked as CVE-2025-5349, which affects NetScaler’s management interface. This issue is due to improper access control and can be exploited if attackers gain access to the NSIP, Cluster IP, or Local GSLB IP. Users are advised to update to the fixed versions of NetScaler ADC and Gateway to mitigate these risks 6.

Federal and Private Sector Guidance

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the due date to protect their networks against potential attacks 7. Private organizations are also encouraged to review the KEV catalog and address vulnerabilities in their infrastructure 8.

Additional Findings

Beaumont’s Shodan scans found over 56,500 exposed NetScaler ADC and Gateway endpoints, but it is unclear how many are vulnerable to CVE-2025-5777. GreyNoise has tracked 10 malicious IPs from 5 countries targeting the U.S., France, Germany, India, and Italy in the past 30 days 9.

Conclusion

The addition of CVE-2025-5777 to CISA’s KEV catalog underscores the urgent need for organizations to update their Citrix NetScaler ADC and Gateway systems. By taking immediate action, organizations can protect themselves from potential attacks exploiting this critical vulnerability.

References

  1. CISA (2025-07-10). “CISA Adds One Known Exploited Vulnerability to Catalog”. Retrieved 2025-07-11. ↩︎

  2. CVE (2025). “CVE-2025-5777”. Retrieved 2025-07-11. ↩︎

  3. Security Affairs (2025). “CitrixBleed 2: The Nightmare that Echoes the CitrixBleed Flaw in NetScaler Devices”. Retrieved 2025-07-11. ↩︎

  4. Security Affairs (2023). “Citrix Warns: Patch CVE-2023-4966”. Retrieved 2025-07-11. ↩︎

  5. DoublePulsar (2025). “CitrixBleed 2: Electric Boogaloo - CVE-2025-5777”. Retrieved 2025-07-11. ↩︎

  6. Citrix (2025). “Support Article CTX693420”. Retrieved 2025-07-11. ↩︎

  7. CISA (2022). “Binding Operational Directive (BOD) 22-01”. Retrieved 2025-07-11. ↩︎

  8. CISA (2025). “Known Exploited Vulnerabilities Catalog”. Retrieved 2025-07-11. ↩︎

  9. GreyNoise (2025). “CitrixBleed 2 - CVE-2025-5777 Attempt”. Retrieved 2025-07-11. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity threat-intelligence vulnerability
This post is licensed under CC BY 4.0 by the author.