A critical vulnerability in Citrix Netscaler is raising concerns that hackers will launch a wave of attacks rivaling or even surpassing the exploitation seen during the “CitrixBleed” crisis in 2023.
The vulnerability, tracked as CVE-2025-5777, involves insufficient input validation, which can lead to memory overhead when Netscaler is configured as Gateway. The vulnerability has a severity score of 9.3.
Security researchers said that while they have seen no active exploitation thus far, the vulnerability needs to be carefully monitored and they fully expect to see malicious actors take advantage of the flaw.
“CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents,” Benjamin Harris, CEO at watchTowr, told Cybersecurity Dive via email.
Harris noted that key details about the risk have quietly evolved since the initial disclosure, particularly regarding initial claims that the flaw was found in the less-exposed management interface. That language has now been removed, Harris said, making the vulnerability more dangerous than originally known.
Security researcher Kevin Beaumont also warned that the vulnerability could rival the exploitation risk seen during the original CitrixBleed crisis, which exploited a vulnerability tracked as CVE-2023-4966.
"This vulnerability could have severe consequences, as it allows for the disclosure of session tokens and the hijacking of user sessions. While we haven't observed any exploitation in the wild at this time, we strongly recommend organizations patch it immediately." Casey Charrier, senior analyst, Google Threat Intelligence Group
Researchers from Google also warned a newly disclosed vulnerability in Netscaler, tracked as CVE-2025-6543, is under active exploitation. The memory overflow vulnerability could lead to unintended control flow and denial of service in Netscaler ADC and Netscaler Gateway when configured as Gateway, according to the update from the National Vulnerability Database.
The vulnerability, which has a base severity score of 9.2, has been exploited in the wild as a zero-day, according to Charles Carmakal, CTO, Mandiant Consulting - Google Cloud.
Cloud Software Group urged users to apply updates immediately.
The new vulnerability is considered separate from CVE-2025-5777.
The affected products are the same ones involved in the CitrixBleed event, which involved widespread nation-state and cyber-criminal exploitation, most prominently by the hacker gang dubbed LockBit 3.0.
Those attacks affected a number of prominent companies, including Boeing.
The Cybersecurity and Infrastructure Security Agency released guidance on Tuesday urging critical infrastructure organizations to adopt the use of memory-safe programming languages, which can reduce the prevalence of similar vulnerabilities.
Cloud Software Group recently recommended that all customers immediately upgrade to secure versions of Netscaler ADC and Netscaler Gateway.
In a security bulletin on its help site, Citrix noted that versions 12.1 and 13.0 of the two affected products have reached end-of-life status and are vulnerable and need to be immediately upgraded.
Officials from the Australian Signals Directorate last week urged security teams to immediately upgrade their systems to secure versions of the two products.
(adds comments from Google/Mandiant and Citrix)
