Ethical Hacking News
A new critical security flaw impacting Citrix NetScaler ADC and Gateway has been confirmed to have been exploited in the wild. Organizations using these appliances should take immediate action to patch their systems, upgrade to the latest versions, and review their security logs to minimize the risk of falling victim to this vulnerability.
Citrix NetScaler ADC and Gateway contain a critical security flaw (CVE-2025-5777) that can be exploited to bypass authentication. The vulnerability allows attackers to leak sensitive information by sending specific payloads, earning it the nickname "Citrix Bleed". Exploitation efforts have been detected originating from multiple malicious IP addresses in various countries, including Bulgaria, China, Egypt, Finland, and the US. The primary targets of these attacks are organizations in the US, France, Germany, India, and Italy. Patching is recommended to mitigate this vulnerability; Citrix provides patched builds listed in its June 17 advisory. Admins should inspect logs for suspicious requests and review responses for unexpected XML data to detect potential token hijack attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming that the vulnerability has been weaponized in the wild. The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server.
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation, according to CISA. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The term "Citrix Bleed" is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively "bleeding" sensitive information.
As reported by security researcher Kevin Beaumont, in a report published this week, the Citrix Bleed 2 exploitation started as far back as mid-June. This suggests that attackers have been exploiting this vulnerability for at least two months, highlighting the severity of the issue. Furthermore, data from GreyNoise shows that exploitation efforts are originating from 10 unique malicious IP addresses located in Bulgaria, the United States, China, Egypt, and Finland over the past 30 days.
The primary targets of these efforts are the United States, France, Germany, India, and Italy, indicating a global reach for this attack vector. Organizations that use Citrix NetScaler ADC and Gateway appliances should be aware of this vulnerability and take immediate action to patch their systems, as upgrading to the patched builds listed in Citrix's June 17 advisory is recommended.
Admins are also encouraged to inspect logs (e.g., ns.log) for suspicious requests to authentication endpoints such as /p/u/doAuthentication.do, and review responses for unexpected XML data like fields. Since the vulnerability is a memory overread, it does not leave traditional malware traces — making token hijack and session replay the most urgent concerns.
The development also follows reports of active exploitation of a critical security vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to deploy NetCat and the XMRig cryptocurrency miner in attacks targeting South Korea by means of PowerShell and shell scripts. This highlights the importance of keeping software up-to-date and patching vulnerabilities as soon as possible.
To mitigate this flaw, organizations should immediately upgrade to the patched builds listed in Citrix's June 17 advisory, including version 14.1-43.56 and later. After patching, all active sessions — especially those authenticated via AAA or Gateway — should be forcibly terminated to invalidate any stolen tokens. Admins are also encouraged to review their security logs and respond promptly to potential threats.
The Citrix Bleed vulnerability is another example of the importance of staying vigilant in today's cybersecurity landscape. As attackers continue to find new ways to exploit vulnerabilities, it is essential for organizations to prioritize patching and stay up-to-date with the latest security best practices. By doing so, they can minimize the risk of falling victim to these types of attacks and protect their sensitive data.
In conclusion, Citrix NetScaler CVE-2025-5777 represents a critical security flaw that has been exploited in the wild. Its impact is significant, particularly for organizations that rely on Citrix ADC and Gateway appliances. Prompt action is necessary to mitigate this vulnerability, including patching software, inspecting logs, and terminating active sessions.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-NetScaler-CVE-2025-5777-A-Critical-Security-Flaw-Exploited-in-the-Wild-ehn.shtml
https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
https://nvd.nist.gov/vuln/detail/CVE-2024-36401
https://www.cvedetails.com/cve/CVE-2024-36401/
Published: Fri Jul 11 01:38:32 2025 by llama3.2 3B Q4_K_M
