Full Report
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released. [...]
Analysis Summary
# Vulnerability: Citrix NetScaler Vulnerabilities Exploited in the Wild (CitrixBleed 2)
## CVE Details
- CVE ID: CVE-2025-6543, CVE-2025-5777 (Two vulnerabilities referenced, both related to Citrix NetScaler exploits)
- CVSS Score: Not explicitly provided in the text, but implied to be High/Critical due to active zero-day exploitation and operational disruption.
- CWE: Not explicitly provided in the text.
## Affected Systems
- Products: Citrix NetScaler SD-WAN appliances (based on context, likely related to NetScaler ADC/Gateway products associated with "CitrixBleed").
- Versions: Vulnerable versions are not explicitly listed but include all versions prior to the application of patches for these two CVEs.
- Configurations: Devices exposed to external networks, as they were targeted via zero-day exploitation impacting multiple critical organizations.
## Vulnerability Description
The article highlights multiple critical organizations, particularly in the Netherlands, being successfully attacked via two distinct vulnerabilities in Citrix NetScaler, referred to generally as "CitrixBleed 2." CVE-2025-6543 was exploited as a zero-day since early May, with threat actors actively removing traces of compromise. The corresponding exploitation of CVE-2025-5777 is also noted as highly concerning by CISA. These vulnerabilities allowed sophisticated actors to breach systems, leading to significant operational disruption, as seen with the Public Prosecution Service (Openbaar Ministerie).
## Exploitation
- Status: Actively Exploited in the wild (CVE-2025-6543 exploited as a zero-day since early May 2025).
- Complexity: High (Implied by the attack being attributed to actors with an "advanced modus operandi" and the necessary skills to remove traces).
- Attack Vector: Network (Implied, as these are gateway/SD-WAN-related vulnerabilities commonly targeted remotely).
## Impact
- Confidentiality: High (Breach of critical organizations suggests potential data exposure).
- Integrity: High (Associated with significant operational disruption, suggesting systems integrity was compromised).
- Availability: High (Specific mention of the Dutch Public Prosecution Service experiencing "significant operational disruption" and delayed email server restoration).
## Remediation
### Patches
Specific patch versions alleviating these CVEs are not detailed in the provided text, but patching is the primary required action. Organizations must apply the vendor-released security updates corresponding to CVE-2025-6543 and CVE-2025-5777.
### Workarounds
No specific workarounds were detailed in the source text, emphasizing the need for immediate patching.
## Detection
- Indicators of Compromise: Traces of compromise being actively removed by threat actors suggest bespoke forensic analysis may be required to uncover historical activity.
- Detection Methods and Tools: NCSC alerted relevant bodies. CISA added both CVEs to the Known Exploited Vulnerabilities (KEV) catalog, implying specific scanning or IOC checks should target activity related to these identifiers.
## References
- Vendor advisories: Citrix/NetScaler advisories relevant to CVE-2025-6543 and CVE-2025-5777.
- Relevant links - defanged:
- bleepingcomputer com/news/security/over-3-000-netscaler-devices-left-unpatched-against-actively-exploited-citrixbleed-2-flaw/
- cisa gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-5777&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
- cisa gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-6543&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
- om nl/onderwerpen/inbreuk-om-ict/nieuws/2025/07/18/onderzoek-naar-aanleiding-van-signaal-ncsc