CVE-2025-5777

Citrix Bleed 2

CVE-2025-5777 is a buffer overread vulnerability discovered in Citrix NetScaler ADC and NetScaler Gateway. This critical vulnerability is due to insufficient input validation, allowing an unauthenticated attacker to reflect memory contents from the server to the client. This can enable the attacker to read sensitive information directly from the server’s memory.

The vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 BEFORE 14.1-43.56, 13.1 BEFORE 13.1-58.32, 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS BEFORE 12.1-55.328-FIPS. Additionally, NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0, which are End Of Life (EOL), are also vulnerable. Secure Private Access on-prem or Hybrid deployments using NetScaler instances are also impacted. Exploitation requires NetScaler to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. This vulnerability is classified as CWE-125: Out-of-bounds Read and has a CVSSv4 Base Score of 9.3.

Impact

Successful exploitation of this vulnerability can lead to:

• Unauthorized access to sensitive information from the server’s memory.
• Can be used to leak session tokens that enable attackers to access the appliance directly bypassing MFA.
• Potential for further attacks due to exposed sensitive data.
• Complete control over the affected system, including accessing sensitive data, modifying or deleting system resources, and potentially installing malware or creating backdoors.

Mitigations

• It is strongly recommended to install the relevant updated versions as soon as possible:
  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases
  • NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases

Rapid Response N-Day Testing