CVE-2025-5777: 
Citrix ADC VPX 취약성 분석 및 완화

CVE-2025-5777 is a critical security vulnerability disclosed on June 17, 2025, affecting NetScaler ADC and NetScaler Gateway systems. The vulnerability is characterized by insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It has been labeled "Citrix Bleed 2" due to its similarity to CVE-2023-4966 and received a critical CVSS 4.0 base score of 9.3 (Arctic Wolf, Wiz).

The vulnerability is classified as an out-of-bounds read flaw (CWE-125) that stems from insufficient input validation. Similar to the previous CitrixBleed vulnerability, it allows unauthorized attackers to grab valid session tokens from the memory of internet-facing Netscaler devices by sending malformed requests. The vulnerability is exploitable over the network without any privileges or user interaction (Wiz, Hacker News).

When successfully exploited, the vulnerability allows attackers to obtain session tokens from memory, which can then be used to bypass multi-factor authentication (MFA) protections and gain unauthorized access to authenticated sessions. Session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions, meaning attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session (Hacker News).

Citrix has released security updates to address the vulnerability. Affected versions include NetScaler ADC and NetScaler Gateway 14.1 prior to v14.1-43.56, 13.1 prior to v13.1-58.32, and NetScaler ADC 13.1-FIPS and NDcPP prior to v13.1-37.235-FIPS and NDcPP. After upgrading, customers are advised to run commands to terminate all active ICA and PCoIP sessions: 'kill icaconnection -all' and 'kill pcoipConnection -all' to ensure potentially compromised sessions are closed (Arctic Wolf).

Security researchers and industry experts have emphasized the critical nature of this vulnerability, particularly noting its similarities to the previous CitrixBleed vulnerability. ReliaQuest has highlighted that CVE-2025-5777 introduces new risks by targeting session tokens instead of session cookies, potentially allowing for more persistent unauthorized access (Hacker News).