Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Two critical vulnerabilities (CVE-2025-5777, CVE-2025-5343) in NetScaler ADC & Gateway Exploited in the Wild, Patch Immediately!
Image
Published : 18/06/2025
* Last update: 30/06/2025
* Affected software:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
* Type: Out-of-bounds Read, unintended control flow and Denial of Service
* CVE/CVSS: CVE-2025-5777 CVSS 9.3 (CVSS:4.0/ 4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
- CVE/CVSS: CVE-2025-6543 CVSS 9.2 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
Sources
- Citrix - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- Citrix - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
- Reliaquest - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
Risks
The risk is significant for both vulnerabilities, as NetScaler devices are typically public-facing edge systems that are frequently targeted by threat actors during intrusions.
Both vulnerabilities have a high impact on confidentiality, integrity, and availability. Vulnerability CVE-2025-5777 allows attackers to hijack user sessions and bypass MFA, granting them unauthorized access to sensitive systems. Threat actors can maintain long time access to the user session. The other vulnerability (CVE-2025-6543) can be used in a denial-of-service attack.
Citrix warns that active exploitation of CVE-2025-6543 has been observed. Reliaquest reports that they observed active exploitation of CVE-2025-5777.
Description
CVE-2025-5777
This insufficient input validation vulnerability is present in NetScaler ADC and NetScaler Gateway 13.1, 14.1, NetScaler ADC 12.1-FIPS, 13.1-FIPS and NDcPP. Successful exploitation allows unauthenticated attackers to conduct out-of-bounds memory reads over the network. This can be used to steal session tokens. Using these tokens, they gain long time access to user sessions.
CVE-2025-6543
This memory overflow vulnerability is present in NetScaler ADC and NetScaler Gateway 13.1, 14.1, NetScaler ADC 13.1-FIPS and NDcPP. Successful exploitation can lead to unintended control flow and Denial of Service.
In the same advisory, Citrix patched CVE-2025-5349, an improper access control flaw in NetScaler Management Interface (ADC and Gateway) affecting versions 14.1 before 14.1-43.56 and 13.1 before 13.1-58.32, which could let unauthorized users access restricted functions
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Within Citrix NetScaler, it is also a good practice to enable file integrity monitoring. In the case of an attacker using one of these or another vulnerability to alter the build files of NetScaler, it will compare the hash of the files with the original hash and help detect this attack. More information at: https://community.citrix.com/techzone-blogs/netscaler/netscaler-file-integrity-monitoring/.
References
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-5777
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-6543