Citrix Urges Immediate Patching of Critical NetScaler Vulnerabilities Amid Active Exploitation
Citrix has recently issued an urgent advisory to all users of its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products, emphasizing the necessity of applying security patches to address multiple critical vulnerabilities that are currently being actively exploited by malicious actors.
Overview of the Vulnerabilities
The identified vulnerabilities include:
1. CVE-2025-6543: This critical flaw, with a CVSS score of 9.2, involves a memory overflow issue that can lead to unintended control flow and denial-of-service (DoS) conditions. Exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
2. CVE-2025-5777: Also known as Citrix Bleed 2, this vulnerability has a CVSS score of 9.3 and results from insufficient input validation, leading to memory overread. This can allow attackers to access sensitive data, including session tokens, potentially bypassing multi-factor authentication (MFA) protections.
3. CVE-2025-7775: With a CVSS score of 9.2, this memory overflow vulnerability can result in remote code execution and/or DoS. Exploitation requires specific configurations, such as the appliance being set up as a Gateway or AAA virtual server, or having load balancing virtual servers bound with IPv6 services.
Active Exploitation and Impact
Reports from cybersecurity agencies, including the Dutch National Cyber Security Centre (NCSC-NL), confirm that these vulnerabilities are being actively exploited in the wild. Critical sectors within the Netherlands have been targeted, with attackers deploying web shells on compromised Citrix devices to gain persistent remote access. The exploitation of CVE-2025-6543, in particular, has been observed since early May 2025, indicating a sophisticated and prolonged attack campaign.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and widespread nature of the threat. Federal agencies have been mandated to apply the necessary fixes by specific deadlines to mitigate potential risks.
Affected Versions and Recommended Actions
The vulnerabilities affect the following versions:
– NetScaler ADC and NetScaler Gateway:
– 14.1 prior to 14.1-47.46
– 13.1 prior to 13.1-59.19
– 12.1 and 13.0 (both vulnerable and end-of-life)
– NetScaler ADC 13.1-FIPS and NDcPP:
– Prior to 13.1-37.236-FIPS and NDcPP
Citrix has released patches in the following versions:
– NetScaler ADC and NetScaler Gateway:
– 14.1-47.48 and later releases
– 13.1-59.22 and later releases of 13.1
– NetScaler ADC 13.1-FIPS and 13.1-NDcPP:
– 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
Citrix strongly urges all customers to immediately install the relevant updated versions to protect their systems from potential exploitation. There are no available workarounds for these vulnerabilities beyond upgrading to the patched versions.
Broader Implications and Historical Context
This series of vulnerabilities is part of a concerning trend of critical flaws in Citrix products being actively exploited by threat actors. In October 2023, Citrix disclosed CVE-2023-4966, a vulnerability that allowed attackers to hijack existing authenticated sessions, thereby bypassing MFA and gaining unauthorized access to sensitive information. Similarly, in July 2023, CVE-2023-3519 was exploited in zero-day attacks, enabling unauthenticated remote code execution on vulnerable NetScaler ADC and Gateway appliances.
The repeated targeting of Citrix products highlights the importance of proactive vulnerability management and the need for organizations to stay vigilant against emerging threats.
Recommendations for Organizations
1. Immediate Patching: Organizations using affected versions of NetScaler ADC and NetScaler Gateway should prioritize applying the latest security patches without delay.
2. Session Termination: After patching, it’s advisable to terminate all active sessions to prevent potential session hijacking, especially if exploitation occurred before the patch was applied.
3. Network Configuration Review: Ensure that management interfaces are not exposed to the internet to reduce the attack surface.
4. Continuous Monitoring: Implement robust monitoring to detect any signs of compromise, such as unauthorized access or the presence of web shells.
5. Incident Response Preparedness: Develop and regularly update incident response plans to swiftly address potential breaches.
Conclusion
The active exploitation of these critical vulnerabilities in Citrix NetScaler products serves as a stark reminder of the evolving cyber threat landscape. Organizations must remain proactive in applying security updates and implementing comprehensive security measures to safeguard their systems and sensitive data.
