Warning: Three critical vulnerabilities (CVE-2025-5777, CVE-2025-5349, CVE-2025-6543) impact NetScaler ADC & Gateway, leading to unauthenticated memory overread, unintended control flow and Denial of Service. There is evidence of active exploitation. Pat

Image
Decorative image
Published : 18/06/2025
  • Last update:  02/07/2025
  • Affected software:
    → NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
    → NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
    → NetScaler ADC 13.1-FIPS and NDcPP  BEFORE 13.1-37.235-FIPS and NDcPP
    → NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
  • Type: Out-of-bounds Read, unintended control flow and Denial of Service
  • CVE/CVSS
    → CVE-2025-5777 CVSS 9.3 (CVSS:4.0/ 4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
    → CVE-2025-6543 CVSS 9.2 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
    → CVE-2025-5349 CVSS 8.7 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)

Sources

Risks

In June 2025, Citrix released advisories covering three vulnerabilities affecting NetScaler devices.

NetScaler devices are typically public-facing edge systems that are frequently targeted by threat actors to compromise networks. NetScaler devices have been targeted in the past. The vendor, along with security researchers at ReliaQuest, reported evidence of active exploitation.

CVE-2025-5777 allows attackers to hijack user sessions and bypass MFA, granting them unauthorized access to sensitive systems. Threat actors can maintain long time access to the user session.

CVE-2025-6543 can be used in a denial-of-service attack.

CVE-2025-5349 can allow unauthorized users to access restricted functions.

Citrix warns that active exploitation of CVE-2025-6543 has been observed. Reliaquest reports that they observed active exploitation of CVE-2025-5777.

Description

CVE-2025-5777

This vulnerability is present in NetScaler ADC and NetScaler Gateway 13.1, 14.1, NetScaler ADC 12.1-FIPS, 13.1-FIPS and NDcPP.

Successful exploitation allows unauthenticated attackers to conduct memory overread over the network. For a threat actor to exploit this vulnerability, NetScaler must be as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

This vulnerability has a high impact on confidentiality, integrity, and availability. A threat actor could:

  • Access sensitive data remotely without authentication
  • Cause system instability or crashes
  • Potentially escalate impact to remote code execution
  • Compromise confidentiality, integrity, and availability of the device
  • Use the flaw to further infiltrate the network
  • Disrupt critical network services relying on NetScaler ADC & Gateway
  • Cause significant business and regulatory impacts due to loss of control.

According to a report, ReliaQuest assesses with medium confidence that this vulnerability is actively being exploited.

CVE-2025-6543

This memory overflow vulnerability is present in NetScaler ADC and NetScaler Gateway 13.1, 14.1, NetScaler ADC 13.1-FIPS and NDcPP. Successful exploitation can lead to unintended control flow and Denial of Service.

This vulnerability has a high impact on confidentiality, integrity, and availability.

This vulnerability is actively being exploited according to Citrix. For this vulnerability to be actively exploited, NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

CVE-2025-5349

This improper access control vulnerability affects the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway devices.

This vulnerability has a high impact on confidentiality, integrity and availability.

Successful exploitation could allow unauthorized users to access restricted functions. For threat actors to exploit this vulnerability, they must have access to NSIP, Cluster Management IP or local GSLB Site IP.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

To remediate CVE-2025-5777, Citrix recommends executing kill sessions commands after upgrading in order to terminate all active ICA and PCoIP sessions. Commands can be found at https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

The Centre for Cybersecurity Belgium recommends performing threat hunting to look for signs of compromise in your environment. To obtain indicators of compromise (IoCs), it is recommended to contact your Citrix Customer Support representative. In addition, you may use the feature in NetScaler Console previously known as Application Delivery Management to identify changes and additions made to the NetScaler core build files.

If you suspect your NetScaler ADC device has been compromised, consult the recovery steps from Citrix: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694799

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Within Citrix NetScaler, it is also a good practice to enable file integrity monitoring. In the case of an attacker using one of these or another vulnerability to alter the build files of NetScaler, it will compare the hash of the files with the original hash and help detect this attack. More information at: https://community.citrix.com/techzone-blogs/netscaler/netscaler-file-integrity-monitoring/.

References

National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-5777
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-6543
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-5349
NetScaler F.A.Q - https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/