CVE-2025-5777 – Citrix Bleed, Redux?

Updated June 25, 22:17 GMT. OK kids this one isn't being popped yet but ANOTHER one now officially is. CVE-2025-6543 is being seen exploited in the wild says Citrix. Patches are available, no public IOCs yet.

Security experts are warning that a critical Citrix vulnerability (CVSS 9.3), allocated CVE-2025-5777 has the potential to be as bad as “Citrix Bleed” (CVE-2023-4966) – a vulnerability widely exploited by ransomware gangs to hack the likes of Boeing and the world’s largest bank, ICBC in 2023. 

Citrix is urging customers to upgrade promptly and kill active sessions. 

The CVSS 4.0 score of 9.3 suggests that CVE-2025-5777 is remotely exploitable by an unauthenticated attacker.

A Citrix advisory posted on June 17 said that the vulnerability could only be exploited via an exposed management interface (bad practice and not a default.) But an update Monday has triggered widespread industry alarm bells by confirming that in fact CVE-2025-5777 can be remotely exploited when NetScaler is configured as Gateway (VPN virtual server, ICA or RDP proxy) or AAA virtual server. (Common and widespread.)

Security researcher Kevin Beaumont, who spotted the change, says a Shodan search suggests that over 56,000 instances may be exposed.

(Citrix has not confirmed exploitation but given previous extensive exploitation of Netscaler vulnerabilities, reverse engineering of the patch is likely well underway by “bad actors” and exploitation can be expected.)

That change in wording can be found in the NVD changelog. Citrix’s own advisory, as reviewed by The Stack late Tuesday (June 24) did not state that it had updated the advisory, although the wording has changed. 

Citrix says CVE-2025-5777 affects NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) including in its “Secure Private Access on-prem or Secure Private Access Hybrid” deployments. 

Its advisory adds: “We recommend running the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds:

kill icaconnection -all

kill pcoipConnection -all

A Russian report?

And it may have been reported to the company by a Russian cybersecurity company, Positive Technologies, that is currently sanctioned by the US government; i.e. an exploit may potentially be in untrusted hands. 

(Citrix bundled two security advisories together, also reporting CVE-2025-5349, a high-severity bug in the NetScaler Management Interface. It attributed the two to Russia’s Positive Technologies and Italy’s ITA MOD CERT. The Stack has sought clarification from Citrix on precise attribution for the bugs and will update this article when we have a response.)

The NVD’s description of the bug says it is due to “insufficient input validation leading to memory overread” As Beaumont suggests, it “allows an attacker to read memory [which] may include sensitive information. Session tokens can be replayed to steal Citrix sessions, bypassing MFA.”

“That was the problem with CitrixBleed.”

Savvy security researchers are no doubt scrambling as we write to reverse the patch and provide more detail on the precise attack path.

Citrix vulnerability exploitation

Writing up and mailshotting a security advisory for a bug that has not been reported exploited yet may seem overzealous or FUD-tastic of us. But notably, exploitation of one Citrix vulnerability (CVE-2023-3519) alone triggered “13 separate nationally significant incidents” in the UK in 2023.

A separate critical Citrix vulnerability in 2023, “CitrixBleed” saw exploitation start in late August 2023. By October 2023, multiple ransomware groups were exploiting the vulnerability, including via automated attacks. That Citrix bug gave attackers the ability to hijack existing authenticated sessions, allowing them to bypass MFA or other strong authentication requirements.

One thing that some defenders missed: Attackers’ sessions could persist even after the update to mitigate CVE-2023-4966 had been deployed.

(Mandiant warned it saw "session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.”)

Citrix's tens of thousands of exposed customers should very much err on the side of “patch urgently”. As Benjamin Harris, CEO and founder of attack surface management firm watchTowr put it: “This vulnerability checks all the boxes for inevitable attacker interest. In-the-wild exploitation will happen at some point, and organizations should be dealing with this as an IT incident.

"Patch now - this vulnerability is likely to be in your KEV feeds soon.”