Emergency Security Bulletin: Multiple vulnerabilities affecting Citrix NetScaler

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Citrix NetScaler ADC/Gateway Insufficient Input Validation Vulnerability

CVSS Score: 9.3 (Critical)
Identifier: CVE-2025-5777
Exploit or POC: No known public exploit yet — researchers warn exploitation is likely imminent
Update: CVE-2025-5777 – Citrix Security Advisory

Description: CVE-2025-5777 is a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. It stems from improper input validation in various virtual server configurations—including VPN virtual server, ICA Proxy, CVPN, RDP Proxy, and AAA virtual server—potentially exposing sensitive in-memory data. This flaw may lead to memory leakage of session tokens and private data, allowing unauthenticated attackers to hijack user sessions or carry out further attacks. Security firms have dubbed it "CitrixBleed 2", warning that it echoes the widespread CitrixBleed incident in 2023. Although no active exploits have been observed, analysts emphasize that exploitation is not "if" but "when".

Affected Versions:
 
  • NetScaler ADC and Gateway 14.1 before 14.1-43.56

  • NetScaler ADC and Gateway 13.1 before 13.1-58.32

  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP

  • NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS

Mitigation Recommendation:

 Apply the updates included in Citrix's advisory immediately.
After patching, terminate all active ICA and PCoIP sessions using the commands:

  •  kill icaconnection -all
  • kill pcoipConnection -all
This closes any sessions that may already be compromised.

Continuously monitor NetScaler instances for unusual session behavior, especially anomalous memory-access patterns or unexpected authentication attempts.

For extra protection, restrict exposure to these virtual servers and consider placing NetScaler behind hardened network perimeters until fully patched.

 


Citrix NetScaler Management Interface Improper Access Control Vulnerability

 

CVSS Score: 8.7 (High)
Identifier: CVE‑2025‑5349
Exploit or POC: No 
Update: CVE‑2025‑5349 Citrix Security Advisory

Description: CVE‑2025‑5349 stems from improper access controls on the NetScaler Management Interface. An attacker with network access to the management interfaces—specifically the NSIP, Cluster Management IP, or local GSLB Site IP, may be able to perform sensitive administrative actions without proper authorization. This flaw allows elevated access to management-level functions, increasing the risk of full appliance compromise or further lateral attacks.

Affected Versions:

  • NetScaler ADC and Gateway 14.1 before 14.1‑43.56

  • NetScaler ADC and Gateway 13.1 before 13.1‑58.32

  • NetScaler ADC 13.1‑FIPS and NDcPP before 13.1‑37.235‑FIPS and NDcPP

  • NetScaler ADC 12.1‑FIPS before 12.1‑55.328‑FIPS

Mitigation Recommendation: Upgrade to Citrix NetScaler ADC / Gateway versions 14.1‑43.56 or later, 13.1‑58.32 or later, or FIPS‑compliant builds as listed above

After patching, terminate all active administrative sessions (e.g., ICA or PCoIP) across HA pairs and clusters

Restrict network access to your management interfaces using firewall rules or segmentation until patches are applied