Executive Summary

    Cloud Software Group, the holding company of Citrix, recently disclosed multiple critical vulnerabilities affecting Citrix NetScaler ADC and Gateway products, with the most severe being CVE-2025-6543 and CVE-2025-5777. These vulnerabilities allow unauthenticated attackers to perform memory overflow attacks, potentially hijack authentication sessions, and ultimately could allow an attacker to gain unauthorized access to affected Citrix systems:

    CVE-2025-6543 is reported as already exploited in the wild and allows an unauthenticated attacker to trigger memory-overflow flaws, which can crash affected gateway processes and create denial-of-service (DoS) conditions.

    CVE-2025-5777, dubbed “CitrixBleed 2,” has not yet been publicly reported as successfully exploited in the wild, but it enables a memory flaw that attackers could use to remotely leak session tokens, harvest credentials, or steal other sensitive information from public-facing gateways without any prior authentication.

    Because NetScaler appliances are typically internet facing and facilitate remote, authorized access to otherwise restricted systems, successful exploitation could result in operational impacts and a foothold for lateral movement inside an organization.

    Beazley Security recommends organizations immediately patch all NetScaler instances and then terminate any active sessions to prevent session hijacking attacks.

    Affected Systems or Products

    Citrix specifically states, “NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server,” as a precondition for being affected.

    In the same advisory, Citrix states ADC and Gateway versions 12.1 and 13.0 are end of life (EOL), are no longer supported, and should be updated to supported versions to receive fixes.

    Product

    Affected

    Unaffected

    NetScaler ADC and NetScaler Gateway

    14.1 prior to 14.1-43.56

    14.1-47.46 and later

    NetScaler ADC and NetScaler Gateway

    13.1 prior to 13.1-58.32

    13.1-49.19 and later

    NetScaler ADC and NetScaler Gateway

    12.1 and 13 (EOL)

    Update to supported versions

    NetScaler ADC 13.1-FIPS and NDcPP

    13.1-FIPS prior to 13.1-37.235-FIPS

    13.1-NDcPP 13.1-37.236 and later

    Note: This table spans affected versions for both CVE-2025-5777 and CVE-2025-6543 due to the close nature of their release and common weakness.

    Mitigations / Workarounds

    Due to the internet-facing nature of NetScaler Gateway services, Beazley Security strongly encourages affected organizations to immediately update to fixed versions of the software.

    For systems that cannot be immediately patched, the following temporary mitigations may help:

    • If possible, restrict external access or isolate vulnerable NetScaler Gateways and allow only trusted network ranges to services.

    • Implement real-time monitoring for unusual traffic patterns and DoS attempts.

    • Restrict access to NetScaler Management Interfaces (NSIP) to only trusted, authorized administrative networks.

    • Consider high availability (HA) load-balanced deployments with fail-over capability to help maintain service availability if targeted by DoS attacks (CVE-2025-6543 only).

    Patches

    Patches and update instructions have been made available through Citrix’s standard update channels and can be downloaded from Citrix’s support portal. NetScaler releases are restricted access only and can be downloaded with an active support account from here.

    • Critical CVE-2025-6543 is being tracked by Citrix in article CTX694788.

    • Critical CVE-2025-5777 and CVE-2025-5349 are being tracked by Citrix in article CTX693420.

    After related patches have been applied to all NetScaler appliances, Citrix recommends commands to terminate active ICA and PCoIP sessions:

    Kill icaconnection -all
    Kill pcoipConnection -all

    Beazley Security recommends that affected organizations update to unaffected versions tracked in the most recent security bulletin CTX694788 to fix both critical vulnerabilities.

    Indicators of Compromise

    Based on available information at the time of this writing, no specific indicators of compromise (IoCs) have been disclosed from Citrix. Exploitation targets memory overflow flaws that may not leave traditional IoCs behind.

    Observed behavior for CVE-2025-6543 could include crash entries in logs, repeated SSL handshake resets, and suspiciously padded requests to the affected gateways.

    Technical Details

    CVE-2025-6543 (CVSS 9.2) is a 0-day memory overflow vulnerability that stems from improper restriction of operations within memory buffers. The flaw affects NetScaler deployments configured as gateway services, including VPN virtual servers, ICA proxy, CVPN, RDP Proxy, or AAA virtual servers. Successful exploitation has been reported, leading to DoS conditions due to memory overflow and process crashes.

    At the time of this writing, there have not been publicly disclosed details as to how or which specific components or flaws on the Citrix Netscaler gateway are being exploited. However, the attack can be performed with unauthenticated remote requests to potentially disable affected appliances and create operational outages on systems that could be considered critical infrastructure. Beazley Security Labs will continue to watch for additional details on how CVE-2025-6543 is being exploited and update as appropriate.

    CVE-2025-5777 (CVSS 9.3), dubbed “CitrixBleed 2,” is a vulnerability that potentially allows data to be leaked from memory. The critical vulnerability exists in Netscaler ADC and Gateway appliances that could allow an unauthenticated attacker to trigger an out-of-bounds memory read due to insufficient input validation on affected appliances.

    If successful, attackers could cause the system to respond with portions of its memory that could eventually expose sensitive data, such as valid session tokens, auth cookies, and credentials. The flaw is related to the behavior and impact reported in the original CitrixBleed vulnerability (CVE-2023-4966) where attackers were able to successfully extract session cookies and bypass multi-factor authentication in victim environments.

    At the time of this writing, there is no public evidence the flaw has been successfully exploited in the wild. However, researcher Kevin Beaumont called out that related NIST advisories have been edited to remove statements that the flaw only exists on management interfaces, which inherently increases potential exposure.

    Appendix

    Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted appliances and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.