Threat Research

Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know

WizBlog

Two critical vulnerabilities (CVE-2025-5349 and CVE-2025-5777) and a third critical zero-day RCE vulnerability (CVE-2025-6543) were disclosed in Citrix NetScaler ADC and Gateway products, exposing systems to unauthorized access and memory overflow attacks. Exploitation evidence has been observed in the wild, and users are strongly advised to update to patched versions immediately. #CitrixBleed2 #CVE20256543 #NetScalerADC

Keypoints

  • CVE-2025-5777 causes memory overreads via crafted HTTP requests enabling leakage of session tokens and credentials in Citrix NetScaler Gateway and AAA virtual servers.
  • CVE-2025-5349 is an improper access control vulnerability on the NetScaler Management Interface that allows unauthorized administrative access if attackers have network access to specific IP interfaces.
  • CVE-2025-6543 is a critical memory overflow vulnerability confirmed to be exploited as a zero-day, potentially enabling remote code execution on affected NetScaler ADC and Gateway systems.
  • CVE-2025-5777 is nicknamed “CitrixBleed 2” due to its similarity to the earlier CVE-2023-4966 vulnerability (“CitrixBleed”).
  • Multiple NetScaler ADC and Gateway versions from 12.1 to 14.1 are affected; patches are available only for supported versions 13.1 and 14.1, while EOL versions remain vulnerable.
  • Security teams have observed active exploitation attempts and proof-of-concept exploits have been published, signaling imminent integration into attacker toolkits.
  • Recommendations include immediate patching, terminating all active ICA and PCoIP sessions, and monitoring logs for non-printable characters as signs of exploitation.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploitation via crafted HTTP requests to trigger memory overreads and execute unauthorized code on Citrix NetScaler (CVE-2025-5777, CVE-2025-6543). Quote: ‘an unauthenticated remote attacker could leak sensitive memory contents…’
  • [T1068] Exploitation for Privilege Escalation – Improper access control on management interfaces enabling unauthorized administrative access (CVE-2025-5349). Quote: ‘attackers could gain unauthorized access to sensitive management functionality…’
  • [T1078] Valid Accounts – Use of leaked session tokens to hijack active remote sessions based on memory leak vulnerabilities. Quote: ‘leaked session tokens were used to hijack active remote sessions.’

Indicators of Compromise

  • [File Hashes] Proof-of-concept exploit files for CVE-2025-5777 – released July 3rd, 2025 (specific hashes withheld; available upon request).
  • [IP Addresses] List of IPs hosting vulnerable NetScaler appliances published by Kevin Beaumont – used for vulnerability verification against exposure to CVE-2025-5777.
  • [Log Entries] Presence of non-printable characters in ns.log files indicating potential exploitation of CVE-2025-5777, as recommended by Horizon3 security analysis.

Read more: https://www.wiz.io/blog/critical-vulnerabilities-netscaler-adc-exploited-in-the-wild-cve-2025-5777