Full Report
Frequently asked questions about recent Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild, including CVE-2025-5777 known as CitrixBleed 2.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2025-5777 and CVE-2025-6543, two Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild.FAQWhat vulnerabilities have been exploited?As of the publication of this blog on June 27, active exploitation has been reported for the following CVEs:CVEDescriptionCVSSv4SeverityCVE-2025-5777Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability (“CitrixBleed 2”)9.3CriticalCVE-2025-6543Citrix NetScaler ADC and Gateway Denial of Service (DoS) Vulnerability9.2CriticalWhat is CVE-2025-5777 (CitrixBleed 2)CVE-2025-5777 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway. Successful exploitation of this vulnerability would allow an attacker to read memory on an affected device, giving the attacker access to sensitive data including session tokens. These session tokens can be used to bypass multi-factor authentication (MFA) and allow the attacker to take over an authenticated session.Source: Kevin BeaumontWhy is CVE-2025-5777 being called CitrixBleed 2?The moniker CitrixBleed 2 was given to CVE-2025-5777 by security researcher Kevin Beaumont, who observed that this vulnerability is very similar to CVE-2023-4966, also known as CitrixBleed. The original CitrixBleed was widely abused by both ransomware groups and other threat actors, including advanced persistent threat (APT) actors. Given the similarities and likelihood of exploitation, Beaumont warned that “organisations patch, unless they want to become the detection in the wild after a security incident.”When was CVE-2025-5777 first disclosed?CVE-2025-5777 was disclosed by Citrix in security bulletin CTX693420 on June 17. In the same security bulletin, Citrix also addressed CVE-2025-5349, an improper access control vulnerability affecting the NetScaler Management Interface.Was CVE-2025-5777 exploited as a zero-day?As of June 27, there is no indication that CVE-2025-5777 (CitrixBleed 2) was exploited as a zero-day. The initial security bulletin from Citrix did not contain any language about exploitation, however on June 26, ReliaQuest released a blog post in which they note they have observed “indications of exploitation” and further state “ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.” At the time this blog was published, Citrix had not updated their security bulletin to indicate active exploitation of CVE-2025-5777.What is CVE-2025-6543?CVE-2025-6543 is a DoS vulnerability resulting from a memory overflow issue. While there are similarities in the vulnerability descriptions from Citrix between CVE-2025-6543 and CVE 2025-5777, Citrix released a Cloud Software Group blog post clarifying that these two vulnerabilities are not related.When was CVE-2025-6543 first disclosed?CVE-2025-6543 was disclosed in security bulletin CTX694788 on June 25.Was CVE-2025-6543 exploited as a zero-day?Yes, CVE-2025-6543 was exploited in the wild as a zero-day. The initial security bulletin release indicated that exploitation had been observed and Citrix confirmed in their supplementary blog post on June 26 that CVE-2025-6543 was exploited as a zero-day.Is there a proof-of-concept (PoC) available for these vulnerabilities?As of the release of this blog post on June 27, no PoC has been publicly released for either of these vulnerabilities.Are patches or mitigations available for CVE-2025-5777?Yes, Citrix released patches for the following NetScaler ADC and Gateway versions that also addresses CVE-2025-5349, which is not known to have been exploited:Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.1-58.3213.1-58.32 and later releases of 13.1Prior to 14.1-43.5614.1-43.56 and later releasesNetScaler ADC 12.1-FIPSPrior to 12.1-55.32812.1-55.328 and later releases of 12.1-FIPSNetScaler ADC 13.1-FIPS and 13.1-NDcPPPrior to 13.1-37.23513.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPPVersion 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.In addition, Citrix recommends terminating all active ICA and PCoIP sessions after applying the updates using the following commands:kill icaconnection -allkill pcoipConnection -allWe strongly recommend reviewing security bulletin CTX693420 for the latest guidance as additional instructions and recommendations may be updated in the future.Are patches or mitigations available for CVE-2025-6543?Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.1-59.1913.1-59.19 and later releases of 13.1Prior to 14.1-47.4614.1-47.46 and later releases of 14.1NetScaler ADC 13.1-FIPS and NDcPPPrior to 13.1-37.23613.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPPVersion 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.Note that according to the security bulletin, “NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server” in order to be vulnerable to CVE-2025-6543.Are Indicators of Compromise (IoCs) available?According to the Citrix Cloud Software Group blog post, customers should contact Citrix customer support for updates on IoCs. We also recommend reviewing their blog post for further updates on both CVE-2025-5777 and CVE-2025-6543.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-5777CVE-2025-6543This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationCitrix Security Bulletin CTX693420 (CVE-2025-5777, CVE-2025-5349)Citrix Security Bulletin CTX694788 (CVE-2025-6543)CitrixBleed 2: Electric Boogaloo CVE-2025–5777ReliaQuest Blog: Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old WoundsTenable Blog: CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the WildTenable Blog: Frequently Asked Questions for CitrixBleed (CVE-2023-4966)Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
This summary is based only on the provided text, which primarily serves as a reference list and initial FAQ context for the mentioned CVEs, rather than presenting the full technical details for a single vulnerability. The data below synthesizes information explicitly named for the listed CVEs.
# Vulnerability: Citrix NetScaler/ADC Vulnerabilities (Likely Information Disclosure/Authentication Bypass)
## CVE Details
- CVE ID: CVE-2025-5777, CVE-2025-6543 (Note: CVE-2023-4966 is referenced as related context, "CitrixBleed")
- CVSS Score: Not explicitly provided in the text.
- CWE: Not explicitly provided in the text, but context implies high-severity flaws in Citrix NetScaler/ADC/Gateway.
## Affected Systems
- Products: Citrix NetScaler ADC, Citrix NetScaler Gateway
- Versions: Specific versions are **not listed** in this excerpt, but are detailed in the referenced documentation (CTX693420, CTX694788).
- Configurations: Products appear to be network-facing devices (ADC/Gateway).
## Vulnerability Description
The context refers to **CVE-2025-5777** ("CitrixBleed 2") and **CVE-2025-6543**, which are associated with the previously exploited **CVE-2023-4966** (CitrixBleed), suggesting these are subsequent or related critical vulnerabilities affecting Citrix NetScaler ADC and Gateway devices that may lead to information disclosure or system compromise using similar attack patterns.
## Exploitation
- Status: Mention of the related CVE-2023-4966 being "Exploited in the Wild." For the new CVEs (2025 series), the status is **Unclear / Implied Active Interest**.
- Complexity: Likely **Medium to High**, based on the severity implied by calling one variant "CitrixBleed 2."
- Attack Vector: Context suggests **Network** access is required, typical for ADC/Gateway vulnerabilities.
## Impact
- Confidentiality: Implied **High**, given the relation to CVE-2023-4966 (Information Disclosure).
- Integrity: Unknown based on text.
- Availability: Unknown based on text.
## Remediation
### Patches
- Patches are available via the following Citrix security bulletins:
- **CTX693420** (Addresses CVE-2025-5777 and CVE-2025-5349)
- **CTX694788** (Addresses CVE-2025-6543)
### Workarounds
- No specific workarounds are detailed in this excerpt, users are directed to the vendor advisories.
## Detection
- Detection focus is implied through the referenced Tenable resources (Tenable Vulnerability Management, Nessus, Security Center).
- Indicators of Compromise (IOCs) are likely discussed in detail within the linked vendor advisories or the Tenable blogs regarding active exploitation.
## References
- Vendor Advisory: support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- Vendor Advisory: support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
- Research Blog: doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
- Threat Analysis: reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
- Related Context: tenable.com/blog/cve-2023-4966-citrix-netscaler-adc-and-netscaler-gateway-information-disclosure-exploited-in
- Related Context: tenable.com/blog/frequently-asked-questions-for-citrixbleed-cve-2023-4966