Citrix Patches Critical Vulnerability: A New Threat Emerges
Citrix has recently addressed a critical vulnerability in its NetScaler ADC and NetScaler Gateway products, drawing comparisons to the notorious CitrixBleed flaw that had previously wreaked havoc in the cybersecurity landscape. Although there are currently no reports of active exploitation, security experts are urging organizations to take immediate action to mitigate potential risks.
The Emergence of "CitrixBleed 2"
Security analyst Kevin Beaumont has dubbed the new vulnerability "CitrixBleed 2," referencing the earlier flaw (CVE-2023-4966) that allowed attackers to access device memory, retrieve session tokens, and impersonate authenticated users, effectively bypassing multi-factor authentication. The latest vulnerability, tracked as CVE-2025-5777, has received a severity rating of 9.3, indicating its potential for severe impact.
Affected Versions
According to Citrix’s security bulletin, the following builds are vulnerable:
- NetScaler ADC and NetScaler Gateway: 14.1 before 14.1-43.56
- NetScaler ADC and NetScaler Gateway: 13.1 before 13.1-58.32
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP: before 13.1-37.235
- NetScaler ADC 12.1-FIPS: before 12.1-55.328
Additionally, versions 12.1 and 13.0, which have reached end-of-life status and will not receive further updates, are also vulnerable. Citrix strongly recommends upgrading these instances to supported versions to address the flaws.
The Nature of the Vulnerability
The vulnerability is characterized as an out-of-bounds read flaw, which can be exploited remotely and without authentication. It stems from insufficient input validation, allowing attackers to read sensitive information, such as session tokens, from memory on NetScaler devices configured as a Gateway (e.g., VPN virtual servers, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers. Beaumont notes that this configuration is "an extremely common setup in large organizations," heightening the risk of exploitation.
Urgent Recommendations for Organizations
Citrix is urging affected customers to install the relevant updated versions as soon as possible. The company has also provided specific commands to execute after deploying the fixed versions across High Availability (HA) pairs and cluster nodes. These commands are designed to terminate all active ICA and PCoIP sessions, a crucial step in ensuring the security of the systems. Citrix advises against rebooting appliances as a substitute for executing these commands.
A Reminder of Past Exploits
The original CitrixBleed vulnerability was widely exploited by at least two ransomware groups, leading to significant data breaches. One notable victim, Seattle’s Fred Hutchinson Cancer Center, faced a class-action settlement of approximately $52.5 million after attackers exploited the flaw, compromising sensitive personal and health-related data.
While Citrix has not confirmed any active exploitation of CVE-2025-5777, experts like Beaumont and others emphasize that it is only a matter of time before attackers take advantage of this vulnerability.
Changing Landscape of Vulnerability Disclosure
Interestingly, some details in the National Vulnerability Database (NVD) description for CVE-2025-5777 have changed since its initial disclosure. WatchTowr CEO Benjamin Harris pointed out that critical prerequisites or limitations previously mentioned have been removed, suggesting that the vulnerability may be more severe than initially indicated. This shift raises concerns about the potential for widespread exploitation.
Conclusion: Act Now to Mitigate Risks
As the cybersecurity landscape continues to evolve, organizations must remain vigilant. The consensus among experts is clear: in-the-wild exploitation of CVE-2025-5777 is not a question of "if," but "when." Organizations are strongly advised to patch their systems immediately, as this vulnerability is likely to appear in Known Exploited Vulnerabilities (KEV) feeds soon. Taking proactive measures now can help safeguard sensitive data and prevent potential breaches in the future.