Critical Citrix NetScaler bug fixed, upgrade ASAP! (CVE-2025-5777)

Citrix has fixed a critical vulnerability (CVE-2025-5777) in NetScaler ADC and NetScaler Gateway reminiscent of the infamous and widely exploited CitrixBleed flaw.

The vulnerabilities have been privately disclosed and there is no indication that they are under active exploitation. Nevertheless, the company has urged to install the relevant updated versions as soon as possible and terminate active sessions.

About the vulnerabilities (CVE-2025-5777, CVE-2023-4966)

CVE-2025-5777 is an out-of-bounds read flaw stemming from insufficient input validation. Like CitrixBleed (CVE-2023-4966), it may allow unauthorized attackers to grab valid session tokens from the memory of internet-facing Netscaler devices by sending malformed request. The session tokens can then be used to gain access to the appliances.

The vulnerability is exploitable over the network without any privileges or user interaction, but only on NetScaler devices that have been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization, and Accounting server.

CVE-2025-5349, which stems from improper access control on the NetScaler Management Interface, has also been fixed, but this one can be exploited only by attackers that have access to the device’s NetScaler-owned IP addresses or its cluster management IP address (if it’s a clustered appliance).

The vulnerabilities affect the following customer-managed appliances:

• NetScaler ADC and NetScaler Gateway 14.1 prior to v14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 prior to v13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP prior to v13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS prior to v12.1-55.328-FIPS

“Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities,” the company noted.

The company also advised customers to kill terminate active active ICA and PCoIP sessions after they’ve upgraded their NetScaler appliances, so that potentially stolen session tokens are voided.

“Rebooting appliances instead of [terminating these sessions] isn’t recommended,” Anil Shetty, senior VP of Engineering at NetScaler pointed out. In case of cluster deployments, the kill sessions commands should be executed on each of the nodes, and in case of high-availability pairs, executing the commands on the Primary active node is sufficient, he added.

Customers with NetScaler ADC and NetScaler Gateway end-of-life versions 12.1 and 13.0 are advised to upgrade their appliances to one of the supported (and fixed) versions.

Threat actors have historically been quick to leverage vulnerabilities in Citrix NetScaler ADC, so speed is of the essence here.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!