CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation

Keypoints

• CVE-2025-5777, nicknamed CitrixBleed 2, is an out-of-bounds read vulnerability allowing attackers to access sensitive memory and potentially bypass MFA by stealing session tokens.
• CVE-2025-6543 is a separate critical denial of service (DoS) vulnerability caused by memory overflow and was exploited as a zero-day in the wild.
• Both vulnerabilities affect Citrix NetScaler ADC and Gateway versions prior to the patched releases; versions 12.1 and 13.0 are end-of-life and do not receive updates.
• Citrix released security bulletins CTX693420 and CTX694788 on June 17 and June 25 respectively, detailing the vulnerabilities and available patches.
• No public proof-of-concept exploits have been released yet for either vulnerability as of June 27.
• Citrix recommends terminating all active ICA and PCoIP sessions after patching to mitigate risks.
• Indicators of Compromise (IoCs) are available through Citrix customer support, and Tenable has released plugin coverage for these vulnerabilities.