Full Report
Detect and mitigate CVE-2025-5349, CVE-2025-5777, and CVE-2025-6543, Citrix Netscaler ADC and Gateway vulnerabilities being exploited in the wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Citrix NetScaler ADC and Gateway
## CVE Details
- CVE ID: CVE-2025-5349, CVE-2025-5777, CVE-2025-6543
- CVSS Score: 8.7 (CVE-2025-5349), 9.3 (CVE-2025-5777), 9.2 (CVE-2025-6543)
- Severity: High (for 5349), Critical (for 5777 & 6543)
- CWE: Insufficient Input Validation (5777), Improper Access Control (5349)
## Affected Systems
- Products: NetScaler ADC, NetScaler Gateway
- Versions:
- **14.1**: vulnerable up to 14.1-43.56
- **13.1**: vulnerable up to 13.1-58.32 (including 13.1-FIPS/NDcPP up to 13.1-37.235-FIPS/NDcPP)
- **12.1-FIPS**: vulnerable up to 12.1-55.328-FIPS
- Configurations:
- CVE-2025-5777 affects systems configured as Gateways or AAA virtual servers.
- CVE-2025-5349 requires network access to NSIP, Cluster Management IP, or a local GSLB Site IP.
- Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain unpatched.
## Vulnerability Description
Three critical vulnerabilities have been disclosed:
1. **CVE-2025-5777 (Memory Overread):** Arises from insufficient input validation. An unauthenticated remote attacker sending a crafted HTTP request can lead to memory overreads, potentially leaking sensitive information such as session tokens and user credentials. This vulnerability has been nicknamed "CitrixBleed 2" due to similarities with CVE-2023-4966.
2. **CVE-2025-5349 (Improper Access Control):** Affects the NetScaler Management Interface. Successful exploitation allows unauthorized access to sensitive management functionality if specific network interfaces (NSIP, Cluster Management IP, or GSLB Site IP) are accessible.
3. **CVE-2025-6543 (Memory Overflow):** A critical memory overflow flaw affecting Gateways or AAA virtual servers. While officially described as enabling DoS, its CVSS score suggests potential for unauthenticated Remote Code Execution, severely impacting C/I/A.
## Exploitation
- Status:
- CVE-2025-5777: Proof-of-Concept (PoC) available; evidence of exploitation observed in the wild.
- CVE-2025-6543: Confirmed exploited in the wild as a 0-day prior to disclosure.
- CVE-2025-5349: Status not explicitly detailed, but recommended action implies active risk.
- Complexity: Generally targeted (Medium/High) for memory corruption, but severity suggests low complexity for initial exploitation given observed activity.
- Attack Vector: Network (Remote, Unauthenticated possible for 5777 and 6543).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-5777 | High (Session Token/Credential Leakage) | Indirect | Indirect |
| CVE-2025-5349 | High (Unauthorized Management Access) | High | Medium |
| CVE-2025-6543 | High | High | High (DoS/RCE Potential) |
## Remediation
### Patches
Organizations must upgrade to the latest fixed versions for supported branches:
- **Supported Versions:** Update to fixed versions within branches **14.1** and **13.1**. (Specific fixed builds not listed, refer to vendor advisory).
### Workarounds
1. **Upgrade EOL Systems:** Organizations running EOL versions (12.1 or 13.0) are **strongly urged to upgrade immediately** to supported builds, as no patches are available for EOL versions.
2. **Terminate Sessions:** After upgrading, terminate all active ICA and PCoIP sessions. (Specific commands should be referenced in the vendor advisory).
## Detection
- **Indicators of Compromise (IoCs):** Customers investigating potential compromise related to CVE-2025-5777 should request specific IoC information directly from Citrix customer support.
- **Detection Methods and Tools:**
- Security teams can check known lists of IP addresses/domains hosting affected products (e.g., published by Kevin Beaumont) to identify potential exposure to CVE-2025-5777.
- Check `ns.log` entries for reports of non-printable characters, which may indicate successful exploitation attempts of CVE-2025-5777 (Horizon3 recommendation).
- Cloud security platforms (e.g., Wiz Threat Center) may offer pre-built queries to identify vulnerable instances.
## References
- Citrix advisory: hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
- Citrix blogpost: hxxps://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
- PoC Example: hxxps://cloud.projectdiscovery.io/library/CVE-2025-5777