Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Citrix NetScaler Faces Zero-Day Security Threat

Updated
2 min read
Citrix NetScaler Faces Zero-Day Security Threat
N
Nguyễn Văn Trung
Part of seriesNewsletters-eng

Overview

Citrix has just released patches for two critical vulnerabilities affecting NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products, especially when configured as a Gateway or AAA virtual server.

Details of the Vulnerabilities

CVE-2025-5777 (CVSS 9.3)

  • Description: Insufficient input validation leading to memory overread.

  • Impact: Leakage of sensitive information such as session tokens, which can be reused to gain unauthorized access and bypass multi-factor authentication (MFA).

  • Related: Shares similarities with the CitrixBleed (CVE-2023-4966) vulnerability, previously exploited by ransomware groups like LockBit, leading to the Xfinity data breach.

  • Exploitation Status: No exploitation recorded, but there is a high risk.

CVE-2025-6543 (CVSS 9.2)

  • Description: Memory overflow, leading to execution flow changes and denial-of-service (DoS) attacks.

  • Exploitation Status: Exploited in the wild (zero-day).

Affected Versions

CVE-2025-5777 affects versions:

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56

  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32

  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP

  • NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

CVE-2025-6543 affects versions:

  • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases

  • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1

  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP

FPT Threat Intelligence urgently recommends the following measures to address the vulnerabilities:

  • Update patches immediately following Citrix's guidance: CVE-2025-6543, CVE-2025-5777

  • Terminate all current sessions after updating by running the command:

kill icaconnection -all
kill pcoipConnection -all

⚠️ Warning: Many organizations did not end sessions after patching the CitrixBleed vulnerability, leading to continued exploitation through session tokens that were stolen before the patch.

  • Check the system for signs of exploitation, especially with the CVE-2025-6543 vulnerability that has been exploited in the wild.

The IT security unit recommends that all organizations using Citrix NetScaler urgently review, update, and implement necessary response measures.

References

#threat-intelligence

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.