Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Multiple critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway appliances pose severe security risks to enterprise infrastructure, first discovered in May 2025. Three major NetScaler vulnerabilities have been identified: CVE-2025-6543, a memory overflow NetScaler flaw with CVSS 9.2 currently exploited in active attacks; CVE-2025-5777, known as CitrixBleed 2, an out-of-bounds read NetScaler vulnerability with CVSS 9.3 enabling session hijacking and MFA bypass; and CVE-2025-5349, a high-severity improper access control NetScaler flaw. CVE-2025-6543 is actively exploited causing denial-of-service attacks with potential for code execution on NetScaler systems. CVE-2025-5777 has been confirmed as a zero-day NetScaler vulnerability exploited prior to public disclosure, significantly elevating its threat profile for NetScaler environments. Affected NetScaler versions include NetScaler ADC and Gateway prior to 14.1-47.46 and 13.1-59.19, as well as all end-of-life NetScaler versions including 12.1 and 13.0. Organizations must immediately patch NetScaler appliances and terminate active sessions post-update to prevent NetScaler compromise through session hijacking and authentication bypass vulnerabilities.
Critical vulnerabilities have been identified in Citrix NetScaler ADC and Gateway appliances in June 2025, with CVE-2025-6543 representing the most severe threat. This NetScaler memory overflow flaw carries a CVSS score of 9.2 and has been observed in active attacks against NetScaler infrastructure. The NetScaler vulnerability primarily results in denial-of-service conditions but possesses potential for more severe outcomes including unauthorized code execution on NetScaler systems. This NetScaler buffer overflow affects appliances configured as VPNs, ICA proxies, CVPNs, RDP proxies, or AAA servers running NetScaler versions prior to 14.1-47.46, 13.1-59.19, and all unsupported NetScaler 12.1 and 13.0 releases.
CVE-2025-5777, widely known as CitrixBleed 2, represents another critical NetScaler security threat with a CVSS score of 9.3. This NetScaler out-of-bounds read vulnerability enables attackers to extract session tokens and authentication data directly from NetScaler memory. The CitrixBleed 2 NetScaler vulnerability facilitates session hijacking and multi-factor authentication bypass on NetScaler systems, echoing the notorious 2023 CitrixBleed incident that compromised numerous NetScaler environments. Recent security analysis has confirmed CVE-2025-5777 was exploited as a zero-day NetScaler vulnerability, with Amazon’s MadPot honeypot network detecting NetScaler exploitation attempts before the vulnerability’s public disclosure. The availability of public proof-of-concept exploit code for this NetScaler flaw substantially increases the likelihood of widespread NetScaler attacks.
Analysis of NetScaler attack patterns indicates targeted and deliberate operations rather than broad automated scanning against NetScaler infrastructure. Threat actors have demonstrated advanced tradecraft when exploiting NetScaler vulnerabilities, including anti-forensic cleanup, memory-leak harvesting from NetScaler systems, and persistence establishment through web-shell deployment on compromised NetScaler appliances. These NetScaler attack behaviors, combined with targeted reconnaissance and stealthy post-exploitation activity against NetScaler environments, demonstrate tactics consistent with well-resourced threat groups targeting NetScaler infrastructure.
Citrix has addressed CVE-2025-5349, a high-severity improper access control vulnerability in the NetScaler management interface. Security updates for all three NetScaler vulnerabilities are available in NetScaler versions 14.1-47.46 and later, 13.1-59.19 and later, and their respective FIPS/NDcPP variants. However, NetScaler patching alone may prove insufficient for compromised systems. NetScaler appliances exploited before patching may still harbor web shells or other persistence mechanisms within NetScaler systems, requiring thorough post-patch investigation of NetScaler infrastructure. All NetScaler appliances running unsupported versions including NetScaler 12.1 and 13.0 remain permanently exposed and must be upgraded or decommissioned to eliminate NetScaler vulnerability exposure.
Organizations must prioritize patching all customer-managed Citrix NetScaler ADC and Gateway appliances to secure versions immediately. The affected NetScaler versions include 14.1 before 14.1-47.46, NetScaler 13.1 before 13.1-59.19, and NetScaler 13.1 FIPS/NDcPP before 13.1-37.236. NetScaler appliances running versions 12.1 or 13.0 should be decommissioned immediately, as these NetScaler versions are end-of-life and will not receive security patches for critical NetScaler vulnerabilities.
After applying NetScaler patches, organizations must proactively terminate all active ICA and PCoIP sessions to invalidate potentially compromised NetScaler session tokens. Execute the following NetScaler commands: kill icaconnection –all and kill pcoipConnection –all. This NetScaler session termination ensures that any existing session tokens potentially exposed prior to NetScaler patching are completely invalidated, preventing session hijacking attacks against NetScaler infrastructure.
Public-facing NetScaler appliances represent the primary attack surface for these vulnerabilities. Organizations should restrict external access to NetScaler systems using VPNs, firewalls, or network segmentation strategies wherever possible. Limit access to NetScaler management interfaces and authentication services, including AAA virtual servers, to trusted IP ranges only. Reducing NetScaler internet exposure significantly decreases exploitation opportunities for threat actors targeting NetScaler infrastructure.
Implement layered security measures to reduce NetScaler risk even if exploitation occurs. This includes enforcing least privilege on all NetScaler administrative interfaces, using strong authentication methods for NetScaler access, and segregating NetScaler systems from high-value targets within the network. Organizations must log access to all NetScaler interfaces for comprehensive audit and alerting purposes, enabling detection of suspicious NetScaler activity and potential NetScaler compromise indicators.
Get through updates and upcoming events, and more directly in your inbox