Cybersecurity Forecast 2026: What to Expect – New Report
Get a Demo

Vulnerabilities

CVE-2025-5777

Critical Memory Overread in Citrix NetScaler ADC and Gateway: CVE-2025-5777 Explained

CVSS Gauge
CVSS Needle
CVSS Score: 9.3

Summary

CVE-2025-5777, or CitrixBleed 2, is a critical flaw in Citrix NetScaler ADC and Gateway that lets unauthenticated attackers read memory and steal session tokens to hijack sessions and bypass MFA. The vulnerability impacts systems configured as Gateway servers (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA servers.

Urgent Actions Required

  • Upgrade affected NetScaler ADC and Gateway appliances immediately to the fixed builds:
    • NetScaler ADC and Gateway 14.1-43.56 or later
    • NetScaler ADC and Gateway 13.1-58.32 or later
    • NetScaler ADC 13.1-FIPS / 13.1-NDcPP 13.1-37.235 or later
    • NetScaler ADC 12.1-FIPS 12.1-55.328 or later
  • After patching, terminate all active sessions to prevent session hijacking:
    • Run kill icaconnection -all
    • Run kill pcoipConnection -all
  • Monitor NetScaler logs for unusual session activity, including:
    • Reuse of session tokens across multiple IP addresses
    • Unexpected Citrix session activity from external or data-center hosting IPs
  • Restrict access to NetScaler Gateway or AAA virtual servers until updates are applied, using firewalls or ACLs if possible.

Which Systems Are Vulnerable to CVE-2025-5777?

Technical Overview

  • Vulnerability Type: Out-of-Bounds Memory Read (CitrixBleed 2)
  • Affected Software/Versions:
    • NetScaler ADC and Gateway 14.1 prior to 14.1-43.56
    • NetScaler ADC and Gateway 13.1 prior to 13.1-58.32
    • NetScaler ADC 13.1-FIPS / 13.1-NDcPP prior to 13.1-37.235
    • NetScaler ADC 12.1-FIPS 12.1-55.328 or later
    (Versions 12.1 and 13.0 are End-of-Life and will not receive fixes)
  • Attack Vector: Network (Unauthenticated Remote Access to Gateway or AAA virtual server)
  • CVSS Score: 9.3
  • CVSS Vector: CVSS: 3.1
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
  • Patch Availability: Yes, available[1]

How Does the CVE-2025-5777 Exploit Work?

The attack typically follows these steps:

CVE-2025-5777 Exploitation Process

What Causes CVE-2025-5777?

Vulnerability Root Cause:

CVE-2025-5777 arises from insufficient input validation in Citrix NetScaler ADC and Gateway. Specifically, certain requests to Gateway or AAA virtual servers can read memory beyond intended bounds. This flaw lets attackers steal session tokens from memory and reuse them to bypass MFA and hijack sessions without credentials or user action.

How Can You Mitigate CVE-2025-5777?

If immediate patching is delayed or not possible:

  • Restrict network access to NetScaler Gateway and AAA virtual servers using firewalls or ACLs.
  • Monitor for unusual Citrix session activity, such as reused session tokens or logins from unexpected IPs.
  • Terminate active ICA and PCoIP sessions frequently to reduce exposure of stolen tokens.
  • Limit exposure of management interfaces to the internet and ensure strong authentication controls are in place.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • NetScaler ADC and Gateway appliances – versions prior to 14.1-43.56, 13.1-58.32, 13.1-FIPS/NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328
  • Gateway or AAA virtual servers – including VPN, ICA Proxy, CVPN, and RDP Proxy configurations

Business-Critical Systems at Risk:

  • Remote access portals – session tokens could be stolen, allowing unauthorized access
  • Administrative interfaces – risk of session hijacking and control over NetScaler management operations

Exposure Level:

  • Internet-facing NetScaler appliances – especially those exposing Gateway or AAA services
  • Exposed VPN and remote access endpoints – targeted by attackers to hijack sessions and bypass MFA
  • End-of-life systems (12.1 and 13.0) – unpatched and highly vulnerable

Will Patching CVE-2025-5777 Cause Downtime?

Mitigation (if immediate patching is not possible): Restrict external access via firewall/ACLs. Vulnerable endpoints remain at risk until patched.

How Can You Detect CVE-2025-5777 Exploitation?

Exploitation Signatures:

  • Reuse of session tokens across multiple IPs may indicate session hijacking attempts.
  • LDAP queries or ADExplorer64.exe activity following Citrix session access can signal reconnaissance post-exploitation.

MITRE ATT&CK Mapping:

  • T1190[5] – Exploit Public-Facing Application
  • T1078[6] – Valid Accounts (using stolen session tokens)

Indicators of Compromise (IOCs/IOAs):

  • Citrix session tokens used from unexpected or multiple IP addresses.
  • Successful authentication without user interaction (MFA bypass).
  • Citrix sessions originating from data-center hosting IPs tied to VPN services.

Behavioral Indicators:

  • Active sessions used across different endpoints without login activity.
  • Unusual access patterns to administrative or sensitive NetScaler resources.

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Unexpected reuse of session tokens.
    • MFA bypass events.
    • LDAP queries or AD enumeration tools following remote Citrix access.

Remediation & Response

Patch/Upgrade Instructions:

  • Citrix Patch Advisory[1]

Mitigation Steps if No Patch:

  • Restrict access to vulnerable NetScaler appliances using network ACLs or firewall rules.
  • Monitor for unusual session reuse across multiple IPs.
  • Watch for unexpected authentication without user interaction (MFA bypass).
  • Log LDAP queries and ADExplorer64.exe activity for anomalous Active Directory reconnaissance.
  • Track sessions originating from unexpected data-center or consumer VPN IPs.

Remediation Timeline:

  • Immediate (0–2 hrs): Limit access to vulnerable devices until patching.
  • Within 8 hrs: Apply Citrix patches to all affected appliances.
  • Within 24 hrs: Verify all systems are upgraded and sessions invalidated.

Rollback Plan:

  • If patches disrupt authentication workflows, follow Citrix guidance for session termination commands (kill icaconnection -all, kill pcoipConnection -all) and review IDP integrations.
  • Document rollback steps in change management, including appliance version, date, and responsible engineer.

Incident Response Considerations:

  • Isolate affected appliances to prevent further unauthorized session access.
  • Collect logs from NetScaler devices to analyze session token reuse and MFA bypass attempts.
  • Investigate whether attackers accessed internal systems or performed AD reconnaissance.
  • After patching, validate that no vulnerable versions remain and continue AD monitoring for anomalous session activity.

Compliance & Governance Notes

Audit Trail Requirement:

  • Record patch deployment details: date, time, target hosts, and fixed version applied.
  • Track session invalidation commands executed post-patch (kill icaconnection -all, kill pcoipConnection -all).
  • Monitor logs for unusual session activity that may indicate exploitation attempts (e.g., session reuse across unexpected IPs).

Policy Alignment:

  • Apply vulnerability management policies to prioritize updates for supported NetScaler versions (14.1, 13.1, 13.1-FIPS/NDcPP, 12.1-FIPS).
  • For systems running EOL versions (12.1, 13.0), plan upgrades to supported builds immediately.
  • Ensure monitoring procedures are in place to detect potential session hijacking or unauthorized access attempts.

Where Can I Find More Information on CVE-2025-5777?

  1. ^CITRIX | Support
  2. ^NVD – CVE-2025-5777
  3. ^https://www.cvedetails.com/cve/CVE-2025-5777/
  4. ^CVE-2025-5777 – Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability – [Actively Exploited]
  5. ^Exploit Public-Facing Application, Technique T1190 – Enterprise | MITRE ATT&CK®
  6. ^Valid Accounts, Technique T1078 – Enterprise | MITRE ATT&CK®

CVSS Breakdown Table

MetricValue Description
Base Score9.3Critical severity indicating high impact and exploitability
Attack VectorLocalExploitable remotely via Citrix NetScaler Gateway or AAA virtual servers
Attack ComplexityLowStraightforward exploitation; no special conditions required
Privileges RequiredNoneNo authentication or elevated privileges needed to exploit
User Interaction NoneNo action required from the user
Scope Unchanged Exploitation affects only the vulnerable NetScaler component
Confidentiality Impact HighSuccessful exploitation can expose session tokens, enabling session hijacking and MFA bypass
Integrity ImpactHighNo direct modification of system data
Availability ImpactHighExploitation does not disrupt system availability

Vulnerability Overview

CVE ID: CVE-2025-5777

CVE Title: Citrix NetScaler ADC and Gateway Memory Overread (CitrixBleed 2)

Severity: Critical

Exploit Status: Public proof-of-concept (PoC) and evidence of early exploitation

Business Risk: Unauthorized access, session hijacking, MFA bypass, network compromise, operational disruption, and higher risk of ransomware.

Compliance Impact: Sensitive data exposure may violate data protection rules and security best practices.

Stop Network Threats Before They Strike: Discover Fidelis NDR

Download the Solution Brief Now!

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo