7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Citrix NetScaler ADC/Gateway Insufficient Input Validation Vulnerability
CVSS Score: 9.3 (Critical)
Identifier: CVE-2025-5777
Exploit or POC: No known public exploit yet — researchers warn exploitation is likely imminent
Update: CVE-2025-5777 – Citrix Security Advisory
Description: CVE-2025-5777 is a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. It stems from improper input validation in various virtual server configurations—including VPN virtual server, ICA Proxy, CVPN, RDP Proxy, and AAA virtual server—potentially exposing sensitive in-memory data. This flaw may lead to memory leakage of session tokens and private data, allowing unauthenticated attackers to hijack user sessions or carry out further attacks. Security firms have dubbed it "CitrixBleed 2", warning that it echoes the widespread CitrixBleed incident in 2023. Although no active exploits have been observed, analysts emphasize that exploitation is not "if" but "when".
Affected Versions:
- NetScaler ADC and Gateway 14.1 before 14.1-43.56
- NetScaler ADC and Gateway 13.1 before 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS
Apply the updates included in Citrix's advisory immediately.
After patching, terminate all active ICA and PCoIP sessions using the commands:
- kill icaconnection -all
- kill pcoipConnection -all
Continuously monitor NetScaler instances for unusual session behavior, especially anomalous memory-access patterns or unexpected authentication attempts.
For extra protection, restrict exposure to these virtual servers and consider placing NetScaler behind hardened network perimeters until fully patched.
Citrix NetScaler Management Interface Improper Access Control Vulnerability
CVSS Score: 8.7 (High)
Identifier: CVE‑2025‑5349
Exploit or POC: No
Update: CVE‑2025‑5349 – Citrix Security Advisory
Affected Versions:
- NetScaler ADC and Gateway 14.1 before 14.1‑43.56
- NetScaler ADC and Gateway 13.1 before 13.1‑58.32
- NetScaler ADC 13.1‑FIPS and NDcPP before 13.1‑37.235‑FIPS and NDcPP
- NetScaler ADC 12.1‑FIPS before 12.1‑55.328‑FIPS
Mitigation Recommendation: Upgrade to Citrix NetScaler ADC / Gateway versions 14.1‑43.56 or later, 13.1‑58.32 or later, or FIPS‑compliant builds as listed above
After patching, terminate all active administrative sessions (e.g., ICA or PCoIP) across HA pairs and clusters
Restrict network access to your management interfaces using firewall rules or segmentation until patches are applied
