Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-5777
CVE-2025-5777:
Citrix ADC VPX vulnerability analysis and mitigation
Overview
CVE-2025-5777 is a critical security vulnerability disclosed on June 17, 2025, affecting NetScaler ADC and NetScaler Gateway systems. The vulnerability is characterized by insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It has been labeled "Citrix Bleed 2" due to its similarity to CVE-2023-4966 and received a critical CVSS 4.0 base score of 9.3 (Arctic Wolf, Wiz).
Technical details
The vulnerability is classified as an out-of-bounds read flaw (CWE-125) that stems from insufficient input validation. Similar to the previous CitrixBleed vulnerability, it allows unauthorized attackers to grab valid session tokens from the memory of internet-facing Netscaler devices by sending malformed requests. The vulnerability is exploitable over the network without any privileges or user interaction (Wiz, Hacker News).
Impact
When successfully exploited, the vulnerability allows attackers to obtain session tokens from memory, which can then be used to bypass multi-factor authentication (MFA) protections and gain unauthorized access to authenticated sessions. Session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions, meaning attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session (Hacker News).
Mitigation and workarounds
Citrix has released security updates to address the vulnerability. Affected versions include NetScaler ADC and NetScaler Gateway 14.1 prior to v14.1-43.56, 13.1 prior to v13.1-58.32, and NetScaler ADC 13.1-FIPS and NDcPP prior to v13.1-37.235-FIPS and NDcPP. After upgrading, customers are advised to run commands to terminate all active ICA and PCoIP sessions: 'kill icaconnection -all' and 'kill pcoipConnection -all' to ensure potentially compromised sessions are closed (Arctic Wolf).
Community reactions
Security researchers and industry experts have emphasized the critical nature of this vulnerability, particularly noting its similarities to the previous CitrixBleed vulnerability. ReliaQuest has highlighted that CVE-2025-5777 introduces new risks by targeting session tokens instead of session cookies, potentially allowing for more persistent unauthorized access (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management