As of June 30, 2025, more than 2,100 Citrix NetScaler servers remain susceptible to critical vulnerabilities, despite the availability of patches. These flaws enable attackers to bypass authentication mechanisms and hijack session tokens, posing significant security risks.
Active Exploitation of Critical Vulnerabilities
Cybersecurity firm ReliaQuest has identified active exploitation of two critical vulnerabilities affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway systems. These vulnerabilities, designated as CVE-2025-5777 and CVE-2025-6543, have been under attack since mid-June 2025, with scanning activities detected as early as June 19.
The Shadowserver Foundation, a nonprofit organization dedicated to enhancing internet security, reported that as of June 29, 2025, approximately 1,289 and 2,100 unpatched IP addresses were identified, with the highest concentrations in the United States and Germany. This represents a significant security exposure given the critical nature of these flaws.
Citrix Bleed 2: An Evolved Threat
CVE-2025-5777, dubbed Citrix Bleed 2, carries a Common Vulnerability Scoring System (CVSS) score of 9.2, indicating its high severity. This vulnerability is an evolution of the original Citrix Bleed flaw that caused significant disruptions in 2023. It arises from insufficient input validation, leading to out-of-bounds memory reads that allow attackers to extract sensitive authentication data.
Unlike its predecessor, which targeted session cookies, Citrix Bleed 2 focuses on session tokens used across API calls and persistent application sessions. This shift potentially grants attackers prolonged unauthorized access, even after users terminate their browser sessions. ReliaQuest researchers have observed indicators of active exploitation, including hijacked Citrix web sessions where authentication was granted without user knowledge, suggesting successful multi-factor authentication (MFA) bypass.
Denial-of-Service Vulnerability
CVE-2025-6543, with a CVSS score of 9.3, has been confirmed as actively exploited by Citrix. This memory overflow vulnerability affects the same NetScaler configurations but poses different threats. Successful exploitation can lead to denial-of-service conditions, effectively shutting down critical network infrastructure. Citrix has acknowledged active exploitation, stating that exploits of CVE-2025-6543 on unmitigated appliances have been observed.
Sophisticated Attack Patterns
Security analysts have documented sophisticated attack patterns, suggesting the involvement of advanced threat actors. ReliaQuest observed multiple instances of ADExplorer64.exe being deployed across compromised environments. Attackers have weaponized this Microsoft tool to conduct extensive domain reconnaissance activities.
Researchers detected LDAP queries associated with Active Directory reconnaissance and Citrix sessions originating from data-center-hosting IP addresses, including consumer VPN services like DataCamp, indicating sophisticated obfuscation techniques.
The Role of NetScaler Appliances
NetScaler appliances serve as critical infrastructure components, acting as gateways for remote access to corporate applications and data centers. These systems often serve as primary entry points for remote workers, making them high-value targets.
Recommendations for Administrators
Given the critical nature of these vulnerabilities and the active exploitation observed, it is imperative for administrators to take immediate action:
1. Apply Patches Promptly: Ensure that all NetScaler ADC and Gateway systems are updated to the latest versions that address CVE-2025-5777 and CVE-2025-6543.
2. Conduct Thorough System Audits: Even after applying patches, perform comprehensive audits to detect any signs of compromise, such as unauthorized web shells or unusual system behavior.
3. Monitor Network Traffic: Implement continuous monitoring to identify and respond to suspicious activities promptly.
4. Enhance Authentication Mechanisms: Review and strengthen authentication protocols to mitigate the risk of session hijacking and unauthorized access.
5. Educate Users: Provide training to users about the importance of security practices, including recognizing phishing attempts and maintaining strong passwords.
Conclusion
The persistence of over 2,100 vulnerable Citrix NetScaler servers underscores the critical need for organizations to prioritize cybersecurity measures. By promptly applying patches, conducting thorough system audits, and enhancing monitoring and authentication mechanisms, organizations can mitigate the risks associated with these vulnerabilities and protect their critical infrastructure from potential exploitation.
