Wiz
Blog

Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know

Detect and mitigate CVE-2025-5349, CVE-2025-5777, and CVE-2025-6543, Citrix Netscaler ADC and Gateway vulnerabilities being exploited in the wild. Organizations should patch urgently.

Merav Bar, Amitai Cohen
3 minute read

On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.

On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.

What are the vulnerabilities?

CVE-2025-5777: Memory Overread via Crafted HTTP Requests (CVSS 9.3)

CVE-2025-5777 arises from insufficient input validation, leading to memory overreads. While initially described as affecting only the NetScaler Management Interface, Citrix later confirmed that the vulnerability also impacts systems configured as Gateways or AAA virtual servers—a common enterprise deployment for Citrix and RDP remote access. By sending a crafted HTTP request, an unauthenticated remote attacker could leak sensitive memory contents, including session tokens, user credentials, and other confidential artifacts. This vulnerability resembles CVE-2023-4966 (CitrixBleed), where leaked session tokens were used to hijack active remote sessions.

CVE-2025-5349: Improper Access Control on Management Interface (CVSS 8.7)

CVE-2025-5349 is an improper access control vulnerability affecting the NetScaler Management Interface. Exploitation requires network access to specific interfaces such as the NSIP (NetScaler IP), Cluster Management IP, or a local GSLB Site IP. If exploited successfully, attackers could gain unauthorized access to sensitive management functionality, potentially compromising administrative control over affected devices.

CVE-2025-6543: Memory Overflow (CVSSv4 9.2)

CVE-2025-6543 is a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway. While the flaw is described as enabling denial-of-service attacks, it could potentially allow for unauthenticated remote code execution based on its CVSS score, which indicates that the vulnerability severely impacts confidentiality, integrity, and availability. CVE-2025-6543 has been confirmed by Citrix as being exploited in the wild as a 0-day prior to public disclosure.

CVE-2025-6543 affects systems configured as Gateways or AAA virtual servers, and is not directly related to CVE-2025-5777 or CVE-2023-4966.

Wiz Research data: what’s the risk to cloud environments?      

According to Wiz data, 3.5% of cloud environments have resources vulnerable to these vulnerabilities.

What sort of exploitation has been identified in the wild? 

ReliaQuest has reported observing possible evidence of exploitation in the wild of CVE-2025-5777, and a proof-of-concept exploit for the vulnerability was published on July 3rd, 2025. This has since been successfully tested by security teams against vulnerable organizations, indicating that by now threat actors are likely to be including it in their toolkits as well.

Citrix have stated that CVE-2025-6543 was exploited in the wild as a 0-day, but haven’t made further details public. Citrix has advised customers interested in scanning for indicators of compromise to request this information from Citrix customer support.

Which products are affected?

The following products are vulnerable to CVE-2025-5349, CVE-2025-5777 and CVE-2025-6543:

  • NetScaler ADC and Gateway in versions from 14.1 to 14.1-43.56

  • NetScaler ADC and Gateway in versions from 13.1 to 13.1-58.32

  • NetScaler ADC in versions from 13.1-FIPS/NDcPP to 13.1-37.235-FIPS/NDcPP

  • NetScaler ADC in versions from 12.1-FIPS to 12.1-55.328-FIPS

Note: Versions 12.1 and 13.0 are EOL and remain vulnerable without updates.

Which actions should security teams take?

  • It is recommended to upgrade to a patched version as soon as possible. Patches are available for supported versions (13.1 and 14.1), while end-of-life versions (12.1 and 13.0) remain unpatched. Organizations running affected EOL versions are urged to upgrade immediately to supported builds.

  • After upgrading, terminate all active ICA and PCoIP sessions using the following commands:

kill icaconnection -all
kill pcoipConnection -all

  • Kevin Beaumont has published a list of IP addresses and domains identified as hosting the affected products - security teams can check if their organizations’ appliances are listed as vulnerable to CVE-2025-5777.

  • Based on their own research of CVE-2025-5777, Horizon3 have recommended checking for entries in ns.log that include non-printable characters, which may indicate successful exploitation of this vulnerability.

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment:

References

Tags
#Research#Vulnerabilities#Threat Intel

Continue reading

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo