U.S. CISA Adds Citrix NetScaler ADC and Gateway Flaw to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken another crucial step in protecting the nation's digital landscape by adding a critical vulnerability in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog. The added flaw, tracked as CVE-2025-5777, is dubbed 'CitrixBleed 2' and carries a high severity score of 9.3 on the Common Vulnerability Scoring System (CVSS v4.0)

The vulnerability, an insufficient input validation issue leading to memory overread, impacts NetScaler configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. This means that attackers can potentially steal session cookies and gain unauthorized access to sensitive information.

Security researcher Kevin Beaumont has highlighted the similarities between CVE-2025-5777 and a past critical exploit, CVE-2023-4966 (aka Citrix Bleed). According to Beaumont, 'CitrixBleed' was a vulnerability that allowed attackers to dump memory, revealing session tokens. Similarly, CVE-2025-5777 lets attackers read memory from NetScaler devices set up as Gateways or AAA virtual servers, which is a common remote access setup in large organizations.

Beaumont explained that the flaw allows an attacker to read memory from the Netscaler when configured as a Gateway or AAA virtual server — think remote access via Citrix, RDP etc. It’s an extremely common setup in large organisations. "The memory may include sensitive information. Session tokens can be replayed to steal Citrix sessions, bypassing MFA. That was the problem with CitrixBleed," continues the expert.

Beaumont’s Shodan scans found over 56,500 exposed NetScaler ADC and Gateway endpoints, but it’s unclear how many are vulnerable to CVE-2025-5777. The company also addressed a second high-severity flaw, tracked as CVE-2025-5349, that impacts NetScaler’s management interface.

The issue is due to improper access control and is exploitable if attackers access the NSIP, Cluster IP, or Local GSLB IP. Users should update to fixed NetScaler ADC and Gateway versions to mitigate risk. Citrix credits Positive Technologies and ITA MOD CERT for two CVEs, but the specific discoverer of CVE-2025-5777 is unclear.

After upgrading all NetScaler appliances, the vendor recommends to run commands to terminate all active ICA and PCoIP sessions for full risk mitigation. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA orders federal agencies to fix the vulnerabilities by July 11, 2025.

What You Need to Know

Here are some key takeaways from this update:

• CVE-2025-5777 is a high-severity vulnerability in Citrix NetScaler ADC and Gateway that can allow attackers to steal session cookies.
• The vulnerability impacts supported versions of NetScaler ADC and NetScaler Gateway.
• Experts recommend updating to fixed versions of NetScaler ADC and Gateway to mitigate risk.
• CISA orders federal agencies to fix the vulnerabilities by July 11, 2025.

Prioritize Your Network Security Now

The recent addition of CVE-2025-5777 to the Known Exploited Vulnerabilities catalog serves as a reminder that no organization is immune to cyber threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies and private organizations to take immediate action to protect their networks against attacks exploiting this critical vulnerability.

By staying informed about the latest vulnerabilities and taking proactive measures to secure your network, you can help prevent a potential cyber attack. Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates and expert analysis.