[German]Are you responsable for Citrix NetScaler ADC and the NetScaler Gateway as an administrator? Last week I had reported on serious vulnerabilities on Citrix products mentioned above that should be closed promptly by patching. Now Citrix has changed the description of CVE-2025-5777, the vulnerability (CVSS 9.3) is even more critical than expected. Citrix Bleed 2 is virtually back and unpatched instances are extremely vulnerable.
Advertising
What was Citrix Bleed (CVE-2023-4966)?
On October 10, 2023, the vendor Citrix had issued a security alert CTX579459 against the critical vulnerabilities CVE-2023-4966 and CVE-2023-4967) in NetScaler ADC and NetScaler Gateway. Multiple vulnerabilities were discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
The vulnerability CVE-2023-4966, later named Citrix Bleed, is an Information Disclosure vulnerability rated with CVSS Index 9.4. The vulnerability can be used to extract information. Attackers could steal session tokens and use them for attacks. This was practiced by the ransomware group Lockbit. I provided information about the issue in the blog posts linked at the end of this article.
Citrix NetScaler ADC is a network device that provides load balancing, firewall and VPN services. Citrix NetScaler Gateway typically refers to the VPN and authentication components, while ADC refers to the load balancing and traffic management features. The products are always good for problems and vulnerabilities.
Citrix Netscaler ADC vulnerability CVE-2025-5777 (June 2025)
On June 18, 2025, I had reported several vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway in the blog post Citrix Netscaler ADC: Critical vulnerabilities, update urgently.
Regarding the vulnerability CVE-2025-5777 (CVSS 9.3), it was stated that the NetScaler ADC and the NetScaler Gateway are affected by Insufficient Input Validation. This leads to an out-of-memory read (memory overread) on the NetScaler management interface.
Affected are NetScaler systems that are configured as gateway (e.g. VPN vServer, ICA Proxy, Citrix Virtual Private Network, RDP Proxy or AAA vServer). A successful attack can lead to the extraction of sensitive data.
Advertising
Citrix Bleed 2 through CVE-2025-5777?
On June 23, 2025, the description of CVE-2025-5777 was probably updated. On June 17, 2025, it was still stated that the "Netscaler Management Interface" should not be exposed to the Internet because of the vulnerability. The reference to the Netscaler Management Interface has been removed as of June 23, 2025 (can be viewed under CVE-2025-5777 by clicking on the link "show changes" at the bottom of the page under "Change History").
Security researcher Kevin Beaumont noticed this and wrote about it on Double-Pulsar in the article CitrixBleed 2: Electric Boogaloo — CVE-2025–5777 (Florian Roth points this out in the tweet above). Beaumont writes that the vulnerability allows an attacker to read the memory of the Netscaler if it is configured as a gateway or virtual AAA server. He mentions remote access via Citrix, RDP, etc. This configuration is very common in large companies.
In his blog post, he outlines details and shows a search query to Shodan.io, which shows over 6,800 hits for Germany. Beaumont gives the advice to identify the Citrix Netscaler instances exposed to the Internet, patch them as quickly as possible and terminate the sessions. Because at the latest when an exploit for CVE-2025-5777 is available and is used by cyber attackers, Citrix Bleed 2 is back.
Similar articles:
Citrix Bleed: Vulnerability CVE-2023-4966 leaks session tokens in NetScaler ADC and Gateway, PoC available
Citrix Netscaler ADC: Critical vulnerabilities, update urgently
Advertising
