# Citrix NetScaler Faces Zero-Day Security Threat

## **Overview**

Citrix has just released patches for **two critical vulnerabilities** affecting **NetScaler Application Delivery Controller (ADC)** and **NetScaler Gateway** products, especially when configured as a **Gateway or AAA virtual server**.

---

### **Details of the Vulnerabilities**

**CVE-2025-5777 (CVSS 9.3)**

* **Description:** Insufficient input validation leading to memory overread.
    
* **Impact:** Leakage of sensitive information such as **session tokens**, which can be reused to gain unauthorized access and **bypass multi-factor authentication (MFA)**.
    
* **Related:** Shares similarities with the **CitrixBleed (CVE-2023-4966)** vulnerability, previously exploited by ransomware groups like **LockBit**, leading to the Xfinity data breach.
    
* **Exploitation Status:** **No exploitation recorded**, but there is a **high risk**.
    

**CVE-2025-6543 (CVSS 9.2)**

* **Description:** Memory overflow, leading to execution flow changes and **denial-of-service (DoS) attacks**.
    
* **Exploitation Status:** **Exploited in the wild** (*zero-day*).
    

---

## **Affected Versions**

**CVE-2025-5777 affects versions:**

* NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
    
* NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
    
* NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
    
* NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
    

**CVE-2025-6543 affects versions:**

* NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
    
* NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
    
* NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP
    

---

## **Recommended Actions**

***FPT Threat Intelligence*** urgently recommends the following measures to address the vulnerabilities:

* **Update patches immediately** following Citrix's guidance: [**CVE-2025-6543**](https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788), [**CVE-2025-5777**](https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420)
    
* **Terminate all current sessions** after updating by running the command:
    

```bash
kill icaconnection -all
kill pcoipConnection -all
```

⚠️ Warning: Many organizations **did not end sessions after patching the CitrixBleed vulnerability**, leading to **continued exploitation** through session tokens that were stolen before the patch.

* **Check the system for signs of exploitation**, especially with the **CVE-2025-6543** vulnerability that has been exploited in the wild.
    

**The IT security unit recommends that all organizations using Citrix NetScaler urgently review, update, and implement necessary response measures.**

---

#### **References**

* [**Citrix patches critical 0-day amid ‘CitrixBleed 2’ concerns**](https://www.scworld.com/news/citrix-patches-critical-0-day-amid-citrixbleed-2-concerns)
    
* [**Critical Citrix NetScaler Flaw Exploited as Zero-Day**](https://www.securityweek.com/critical-citrix-netscaler-flaw-exploited-as-zero-day/)
    
* [**NetScaler Critical Security Updates**](https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/)
