Vulnerability Description
Three vulnerabilities in NetScaler ADC and NetScaler Gateway (formerly Citrix ADC and Gateway) were disclosed in June 2025 in a security advisory:
- CVE-2025-5777 – Out-of-bounds read due to insufficient input validation (CVSS 9.3): Can be exploited when NetScaler is configured as a Gateway or AAA virtual server. Enables attackers to read memory contents, such as session tokens or credentials, through hijacked sessions, similar to the original CitrixBleed (CVE-2023-4966).
- CVE-2025-6543 – Memory overflow leading to denial of service and unintended control flow (CVSS 9.2): May allow attackers to crash the application or achieve remote code execution.
- CVE-2025-5439 – Improper access control on the management interface (CVSS 8.7): Allows unauthenticated attackers to interact with management functions, potentially leading to unauthorized changes or movement within the network.
Note that Versions 12.1 and 13.0 are End-of-Life (EOL) and vulnerable. These will not receive patches.
Threat Activity
At the time of writing this advisory:
- None of these vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog (although we suspect it’s only a matter of time before they are).
- Citrix has not confirmed active exploitation of CVE-2025-5439 or CVE-2025-5777, but ReliaQuest has assessed with medium confidence that CVE-2025-5777 has been exploited to gain initial access to targeted environments.
- Cloud Software Group has observed a limited number of instances where CVE-2025-6543 has been exploited.
CVE-2025-5777 has been dubbed “CitrixBleed 2” due to its strong similarity to CVE-2023-4966 (CitrixBleed). CVE-2023-4966 enabled attackers to hijack authenticated sessions without needing credentials and was heavily abused by threat actors. Similarly, CVE-2025-5777 allows memory overreads that may expose valid session tokens, placing devices at risk of unauthenticated access (especially if patches are applied without terminating existing sessions). Given the similar exploitation impact, CVE-2025-5777 is likely to be targeted in the future.
Available Patches
CVE-2025-5349 and CVE-2025-5777
| Vulnerable Version | Patch |
| 14.1 < 14.1-43.56 | 14.1-43.56+ |
| 13.1 < 13.1-58.32 | 13.1-58.32+ |
| 13.1-FIPS < 13.1-37.235 | 13.1-FIPS 13.1-37.235+ |
CVE-2025-6543
| Vulnerable Version | Patch |
| 14.1 < 14.1-47.46 | 14.1-47.46+ |
| 13.1 < 13.1-59.19 | 13.1-59.19+ |
| 13.1-FIPS < 13.1-37.236 | 13.1-FIPS 13.1-37.236+ |
Censys Perspective
At the time of writing, Censys observed 69,237 exposed NetScaler Gateway & ADC instances online, a small number of which we are able to infer versions for. The versions in the table below were observed most frequently:
web.software: (vendor: "Citrix" and product: {"Gateway", "NetScaler Gateway", "NetScaler"})services.software: (vendor="Citrix" and product={"Gateway", "NetScaler Gateway", "NetScaler"})host.services.software: (vendor="Citrix" and product={"Gateway", "NetScaler Gateway", "NetScaler"}) or web_entity.instances.software: (vendor="Citrix" and product={"Gateway", "NetScaler Gateway", "NetScaler"})risks.name = "Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777]" or risks.name = "Vulnerable Citrix Netscaler Application [CVE-2025-6543]"
References
- CVE-2025-5349 NVD Advisory
- CVE-2025-5777 NVD Advisory
- CVE-2025-6543 NVD Advisory
- CVE-2023-4996 NVD Advisory
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543
- NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
- Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed
- Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds