Emergency Security Bulletin: Multiple vulnerabilities affecting Citrix NetScaler

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png

TABLE OF CONTENTS

NEW BLOGS

Penetration Testing Vulnerability Assessment

The Role of Retesting in Vulnerability Remediation Validation: A...

Vulnerability Bulletins

Emergency Security Bulletin: Cisco Unified Communications Manager...

IAM Identity Strategy

How to Build an IAM Adoption Strategy Rooted in People, Not Just...

Vulnerability Bulletins

Emergency Security Bulletin: Multiple Vulnerabilities affecting Cisco...

By: RedLegg's Cyber Threat Intelligence Team

06/25/25 08:37 PM

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Citrix NetScaler ADC/Gateway Insufficient Input Validation Vulnerability

CVSS Score: 9.3 (Critical)
Identifier: CVE-2025-5777
Exploit or POC: No known public exploit yet — researchers warn exploitation is likely imminent
Update: CVE-2025-5777 – Citrix Security Advisory

Description: CVE-2025-5777 is a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. It stems from improper input validation in various virtual server configurations—including VPN virtual server, ICA Proxy, CVPN, RDP Proxy, and AAA virtual server—potentially exposing sensitive in-memory data. This flaw may lead to memory leakage of session tokens and private data, allowing unauthenticated attackers to hijack user sessions or carry out further attacks. Security firms have dubbed it "CitrixBleed 2", warning that it echoes the widespread CitrixBleed incident in 2023. Although no active exploits have been observed, analysts emphasize that exploitation is not "if" but "when".

Affected Versions:

NetScaler ADC and Gateway 14.1 before 14.1-43.56
NetScaler ADC and Gateway 13.1 before 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS

Mitigation Recommendation:

Apply the updates included in Citrix's advisory immediately.
After patching, terminate all active ICA and PCoIP sessions using the commands:

kill icaconnection -all
kill pcoipConnection -all

This closes any sessions that may already be compromised.

Continuously monitor NetScaler instances for unusual session behavior, especially anomalous memory-access patterns or unexpected authentication attempts.

For extra protection, restrict exposure to these virtual servers and consider placing NetScaler behind hardened network perimeters until fully patched.

Citrix NetScaler Management Interface Improper Access Control Vulnerability

CVSS Score: 8.7 (High)
Identifier: CVE‑2025‑5349
Exploit or POC: No
Update: CVE‑2025‑5349 – Citrix Security Advisory

Description: CVE‑2025‑5349 stems from improper access controls on the NetScaler Management Interface. An attacker with network access to the management interfaces—specifically the NSIP, Cluster Management IP, or local GSLB Site IP, may be able to perform sensitive administrative actions without proper authorization. This flaw allows elevated access to management-level functions, increasing the risk of full appliance compromise or further lateral attacks.

Affected Versions:

NetScaler ADC and Gateway 14.1 before 14.1‑43.56
NetScaler ADC and Gateway 13.1 before 13.1‑58.32
NetScaler ADC 13.1‑FIPS and NDcPP before 13.1‑37.235‑FIPS and NDcPP
NetScaler ADC 12.1‑FIPS before 12.1‑55.328‑FIPS

Mitigation Recommendation: Upgrade to Citrix NetScaler ADC / Gateway versions 14.1‑43.56 or later, 13.1‑58.32 or later, or FIPS‑compliant builds as listed above

After patching, terminate all active administrative sessions (e.g., ICA or PCoIP) across HA pairs and clusters

Restrict network access to your management interfaces using firewall rules or segmentation until patches are applied