Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, which may pose a significant risk to organizations relying on these systems for remote access and security. This vulnerability allows unauthenticated attackers to steal session cookies, potentially leading to unauthorized access to sensitive information and compromising the security of organizations that rely on Citrix NetScaler ADC and Gateway.
CISA has added Citrix NetScaler ADC and Gateway vulnerability CVE-2025-5777 to its KEV catalog, rated as critical. The vulnerability, dubbed "CitrixBleed 2", allows unauthenticated attackers to steal session cookies and compromise security. The issue is an insufficient input validation flaw that impacts NetScaler systems configured as Gateway or AAA virtual servers. The affected versions include NetScaler ADC and Gateway 12.1-FIPS, 14.1, 13.1-FIPS, and others. CISA orders federal agencies to fix the vulnerabilities by July 11, 2025, and experts recommend private organizations review the catalog and address the vulnerabilities.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, which may pose a significant risk to organizations relying on these systems for remote access and security.
The vulnerability, tracked as CVE-2025-5777, is dubbed "CitrixBleed 2" and has a CVSS v4.0 Base Score of 9.3. This critical flaw allows unauthenticated attackers to steal session cookies, potentially leading to unauthorized access to sensitive information and compromising the security of organizations that rely on Citrix NetScaler ADC and Gateway for remote access.
The vulnerability is an insufficient input validation issue leading to a memory overread that impacts NetScaler configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. This means that even if the organization's NetScaler systems are not directly exposed to the internet, they may still be vulnerable to attacks through other connected devices or networks.
The vulnerability affects supported versions of NetScaler ADC and Gateway, including:
* NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
* NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
* NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
* NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
Security researcher Kevin Beaumont highlighted the similarities between this vulnerability and a previous critical exploit, known as CitrixBleed (CVE-2023-4966). He noted that the new vulnerability has similar characteristics and can lead to the same issues, including the potential for session tokens to be stolen and used to bypass multi-factor authentication.
Beaumont explained that the flaw allows attackers to read memory from NetScaler devices set up as Gateways or AAA virtual servers. These configurations are common in large organizations for remote access via Citrix, RDP, etc. He emphasized that the vulnerability can potentially lead to sensitive information being exposed, including session tokens that can be replayed to steal Citrix sessions.
The company Citrix has addressed the second high-severity flaw, tracked as CVE-2025-5349, which impacts NetScaler's management interface. The issue is due to improper access control and is exploitable if attackers access the NSIP, Cluster IP, or Local GSLB IP.
CISA orders federal agencies to fix the vulnerabilities by July 11, 2025, and experts recommend that private organizations review the catalog and address the vulnerabilities in their infrastructure. Following the vendor's recommendation to upgrade all NetScaler appliances and run commands to terminate all active ICA and PCoIP sessions for full risk mitigation.
In conclusion, this critical vulnerability in Citrix NetScaler ADC and Gateway highlights the importance of keeping software up-to-date and monitoring systems for known exploits. Organizations relying on these systems must take immediate action to patch their vulnerabilities and assess their own systems for potential exposure.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-Citrix-NetScaler-ADC-and-Gateway-Flaw-to-its-Known-Exploited-Vulnerabilities-Catalog-A-Critical-Alert-for-Organizations-ehn.shtml
https://securityaffairs.com/179813/hacking/u-s-cisa-adds-citrix-netscaler-adc-and-gateway-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
https://nvd.nist.gov/vuln/detail/CVE-2025-5349
https://www.cvedetails.com/cve/CVE-2025-5349/
Published: Fri Jul 11 05:22:27 2025 by llama3.2 3B Q4_K_M
