Urgent: Patch Critical Citrix NetScaler Bug (CVE-2025-5777) Now!
▼ Summary
– Citrix fixed a critical vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway, similar to the CitrixBleed flaw, but it is not currently under active exploitation.
– CVE-2025-5777 is an out-of-bounds read flaw that could allow attackers to steal session tokens from internet-facing NetScaler devices configured as Gateway or AAA servers.
– Another vulnerability (CVE-2025-5349) was fixed, but it requires attacker access to NetScaler-owned or cluster management IP addresses to exploit.
– Affected versions include NetScaler ADC and Gateway 14.1, 13.1, 13.1-FIPS, and 12.1-FIPS, with customers urged to upgrade immediately.
– Citrix recommends terminating active sessions post-upgrade to invalidate stolen tokens and advises against rebooting as a solution.
A newly discovered critical vulnerability in Citrix NetScaler products demands immediate attention from IT teams worldwide. Identified as CVE-2025-5777, this security flaw shares alarming similarities with the notorious CitrixBleed exploit (CVE-2023-4966), raising concerns about potential unauthorized access to sensitive systems.
The vulnerability stems from insufficient input validation, creating an out-of-bounds read issue that could allow attackers to steal valid session tokens from internet-facing NetScaler devices. These tokens could then be used to bypass authentication and gain control over affected systems. Unlike some exploits requiring user interaction, this flaw can be exploited remotely without privileges—but only on devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA (Authentication, Authorization, and Accounting) servers.
Citrix has also addressed a second vulnerability, CVE-2025-5349, which involves improper access control on the NetScaler Management Interface. However, this flaw is less severe, as it requires attackers to already have access to specific IP addresses tied to the device.
Affected versions include:
Organizations using Secure Private Access on-prem or hybrid deployments must also upgrade their NetScaler instances to the latest builds. Citrix strongly recommends terminating all active ICA and PCoIP sessions after applying patches to invalidate any stolen session tokens. Simply rebooting appliances is insufficient—administrators must manually kill sessions, especially in clustered or high-availability setups.
For those running end-of-life versions (12.1 and 13.0), upgrading to a supported release is the only viable solution. Given the history of rapid exploitation targeting Citrix vulnerabilities, delaying patches could expose networks to significant risk.
Staying ahead of emerging threats requires vigilance. Regular updates and proactive security measures remain the best defense against evolving cyber risks.
(Source: HELPNET SECURITY)
