NC4 Public1

National Cyber Threat Level

Low

Moderate

Caution

High

Critical

NC4-ALR-2025-000006 : Critical Memory Exposure and Access Control Vulnerabilities in Citrix NetScaler ADC and Gateway

 ACTIONS TO TAKE TO MITIGATE CYBER THREATS

Three critical vulnerabilities in NetScaler ADC and Gateway have been disclosed and observed in active exploitation. Exploitation can result in sensitive memory disclosure, remote code execution, and unauthorised administrative access. 

All organisations using NetScaler ADC and Gateway (formerly Citrix ADC and Gateway), especially where configured as VPN or AAA virtual servers, are strongly advised to: 

  1. Upgrade to Fixed NetScaler Versions Immediately 
  2. Terminate All Active ICA and PCoIP Sessions 
  3. Verify Gateway and AAA Virtual Server Configurations 
  4. Assess for Potential Credential Exposure and Session Hijacking 
  5. Isolate or Decommission End-of-Life NetScaler Versions 
  6. Implement Enhanced Monitoring and Logging 
  7. Engage with Citrix and NC4 

CVE-2025-5777, nicknamed “Citrix Bleed 2,” mirrors exploitation patterns seen in past ransomware breaches such as CVE-2023-4966. With live exploitation of CVE-2025-6543 has been confirmed, older versions (12.1 and 13.0) are End of Life (EOL) and must be decommissioned or upgraded. Failure to patch leaves organisations vulnerable to memory exposure and credential theft, especially in high-trust remote access environments.
Summary

The National Cyber Coordination and Command Centre (NC4) has observed multiple alerts by Citrix and industry partners regarding critical vulnerabilities in Citrix NetScaler ADC and Gateway appliances. Exploited vulnerabilities include CVE-2025-5777 (memory overread), CVE-2025-5349 (improper access control), and CVE-2025-6543 (memory overflow with potential RCE). 

Citrix has confirmed that exploitation of CVE-2025-6543 is occurring in the wild. Due to the architectural similarities with “Citrix Bleed” CVE-2023-4966, CVE-2025-5777 is high likely to be exploited imminently. 

This attack surface includes both customer-managed and hybrid deployments, especially those running VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server configurations. Exploitation may lead to: 

  • Leakage of session tokens and memory contents. 
  • Unauthorised administrative access via management IPs. 
  • Remote DoS or unauthenticated code execution. 
  • Bypassing of MFA and session hijacking. 

NC4 assesses these vulnerabilities as presenting critical cybersecurity risks and impose that organisations must assume risk of compromise if affected versions were exposed to untrusted networks before patching. 

This exploitation technique enables threat actors to: 

  • Bypass input validation to access or leak memory contents (CVE-2025-5777). 
  • Gain unauthorised access to management interfaces (CVE-2025-5349). 
  • Trigger Denial of Service and possible remote control flow manipulation (CVE-2025-6543). 
  • Exploit improperly secured VPN services and authentication portals. 
  • Target legacy appliances no longer receiving vendor support

The potential impact spans remote access systems, credential theft, memory leakage, and complete service disruption. Threat actors are expected to integrate these techniques into future targeted and opportunistic campaigns. 
Technical Details

CVE ID 

Elaboration 
CVE-2025-5777 (Citrix Bleed 2.0) 
  • Description: Insufficient input validation causing memory overread 
  • Prerequisites: NetScaler must be configured as Gateway or AAA virtual server 
  • CWE: 125 – Out-of-bounds Read 
  • CVSS v4.0: 9.3 
  • Status: Likely to attract exploit development; no PoC observed 
CVE-2025-5349 
  • Description: Improper access control on the NetScaler management interface 
  • Prerequisites: Access to NSIP, Cluster Management IP, or GSLB Site IP 
  • CWE: 284 – Improper Access Control 
  • CVSS v4.0: 8.7 
  • Status: No exploitation confirmed 
CVE-2025-6543 
  • Description: Memory overflow vulnerability leading to unintended control flow and Denial of Service 
  • Prerequisites: Gateway/AAA configuration 
  • CWE: 119 – Improper Restriction of Operations within the Bounds of Memory Buffer 
  • Impact: Unintended control flow, Denial of Service 
  • CVSS v4.0: 9.2 
  • Status: Exploitation confirmed in the wild 

 
Mitigations

A. Immediate Technical Remediation 

  • Patch Affected Devices 

Upgrade to: 

  • 14.1-47.46 or later 
  • 13.1-59.19 or later 
  • 13.1-FIPS/NDcPP 13.1-37.236 or later 
  • 12.1-FIPS 12.1-55.328 or later 
  • Terminate Sessions 

It is advised to terminate all active ICA and PCoIP sessions once all NetScaler appliances in the HA pair or cluster have been updated to the fixed versions with the following commands: 

kill icaconnection -all
kill pcoipConnection -all

  • Review Legacy Deployments 

Decommission or isolate appliances running EOL versions (12.1, 13.0). 

  • Update Logging, Detection Rules and Enhance Monitoring 
    • Enable verbose memory and session logging. 
    • Create SIEM rules for token reuse, overflow errors, or malformed requests. 
    • Set alerts for memory crashes, repeated session failures, or unauthorised access. 

B. Strategic Organisational Measures 

  • Inventory and classify all NetScaler Assets 

Flag EOL devices and hybrid deployments using NetScaler instance. 

  • Decommission End-of-Life (EOL) Versions 

12.1 and 13.0 are unsupported and vulnerable; deprecate immediately. 

  • Review Cloud vs On-Prem Architecture 

Cloud-managed Citrix services are not impacted. 

  • Update Playbooks for Session Hijacking and Memory Disclosure 

Include detection, token revocation, and downstream app hardening. 

  • Engage with NC4 

Report incidents or findings to Citrix and NC4 via official channels to support national-level coordination and threat sharing. 
Validate Security Controls

System owners and cyber security teams are encouraged to: 

  • Verify and ensure that firmware versioning matches latest secure builds. 
  • Confirming VPN termination logs post-upgrade. 
  • Simulating ICA and AAA exploitation behaviour. 
  • Review SIEM and EDR visibility on token usage and malformed memory reads. 
  • Testing WAF, memory monitoring, and endpoint protections for detection efficiency. 
  • Apply red team scenarios mimicking buffer exploits, session leaks and simulate session hijacking using replay tools to validate controls. 
Reporting

Malaysian NCII entities affected by this advisory are advised to report indicators or incidents to Citrix and NC4 as per required under Act 854 for National coordination and intelligence sharing. 
References

Citrix Security Bulletin for CVE-2025-5349 & CVE-2025-5777:   https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

Citrix Security Bulletin for CVE-2025-6543:   https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

CERT-EU Advisory:   https://cert.europa.eu/publications/security-advisories/2025-022/

Arctic Wolf Analysis of CVE-2025-5777:   https://arcticwolf.com/resources/blog/cve-2025-5777/

UK NHS CSOC Alert (CC-4670, CC-4674):   https://digital.nhs.uk/cyber-alerts/2025/cc-4674

  https://digital.nhs.uk/cyber-alerts/2025/cc-4670

Technical 08-Jul-2025 11:46:31

Insert title here