CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
Frequently asked questions about recent Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild, including CVE-2025-5777 known as CitrixBleed 2.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2025-5777 and CVE-2025-6543, two Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild.
FAQ
What vulnerabilities have been exploited?
As of the publication of this blog on June 27, active exploitation has been reported for the following CVEs:
| CVE | Description | CVSSv4 | Severity |
|---|---|---|---|
| CVE-2025-5777 | Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability (“CitrixBleed 2”) | 9.3 | Critical |
| CVE-2025-6543 | Citrix NetScaler ADC and Gateway Denial of Service (DoS) Vulnerability | 9.2 | Critical |
What is CVE-2025-5777 (CitrixBleed 2)
CVE-2025-5777 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway. Successful exploitation of this vulnerability would allow an attacker to read memory on an affected device, giving the attacker access to sensitive data including session tokens. These session tokens can be used to bypass multi-factor authentication (MFA) and allow the attacker to take over an authenticated session.
Source: Kevin Beaumont
Why is CVE-2025-5777 being called CitrixBleed 2?
The moniker CitrixBleed 2 was given to CVE-2025-5777 by security researcher Kevin Beaumont, who observed that this vulnerability is very similar to CVE-2023-4966, also known as CitrixBleed. The original CitrixBleed was widely abused by both ransomware groups and other threat actors, including advanced persistent threat (APT) actors. Given the similarities and likelihood of exploitation, Beaumont warned that “organisations patch, unless they want to become the detection in the wild after a security incident.”
When was CVE-2025-5777 first disclosed?
CVE-2025-5777 was disclosed by Citrix in security bulletin CTX693420 on June 17. In the same security bulletin, Citrix also addressed CVE-2025-5349, an improper access control vulnerability affecting the NetScaler Management Interface.
Was CVE-2025-5777 exploited as a zero-day?
As of June 27, there is no indication that CVE-2025-5777 (CitrixBleed 2) was exploited as a zero-day. The initial security bulletin from Citrix did not contain any language about exploitation, however on June 26, ReliaQuest released a blog post in which they note they have observed “indications of exploitation” and further state “ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.” At the time this blog was published, Citrix had not updated their security bulletin to indicate active exploitation of CVE-2025-5777.
What is CVE-2025-6543?
CVE-2025-6543 is a DoS vulnerability resulting from a memory overflow issue. While there are similarities in the vulnerability descriptions from Citrix between CVE-2025-6543 and CVE 2025-5777, Citrix released a Cloud Software Group blog post clarifying that these two vulnerabilities are not related.
When was CVE-2025-6543 first disclosed?
CVE-2025-6543 was disclosed in security bulletin CTX694788 on June 25.
Was CVE-2025-6543 exploited as a zero-day?
Yes, CVE-2025-6543 was exploited in the wild as a zero-day. The initial security bulletin release indicated that exploitation had been observed and Citrix confirmed in their supplementary blog post on June 26 that CVE-2025-6543 was exploited as a zero-day.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
As of the release of this blog post on June 27, no PoC has been publicly released for either of these vulnerabilities.
Are patches or mitigations available for CVE-2025-5777?
Yes, Citrix released patches for the following NetScaler ADC and Gateway versions that also addresses CVE-2025-5349, which is not known to have been exploited:
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| NetScaler ADC and NetScaler Gateway | Prior to 13.1-58.32 | 13.1-58.32 and later releases of 13.1 |
| Prior to 14.1-43.56 | 14.1-43.56 and later releases | |
| NetScaler ADC 12.1-FIPS | Prior to 12.1-55.328 | 12.1-55.328 and later releases of 12.1-FIPS |
| NetScaler ADC 13.1-FIPS and 13.1-NDcPP | Prior to 13.1-37.235 | 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP |
Version 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.
In addition, Citrix recommends terminating all active ICA and PCoIP sessions after applying the updates using the following commands:
- kill icaconnection -all
- kill pcoipConnection -all
We strongly recommend reviewing security bulletin CTX693420 for the latest guidance as additional instructions and recommendations may be updated in the future.
Are patches or mitigations available for CVE-2025-6543?
Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| NetScaler ADC and NetScaler Gateway | Prior to 13.1-59.19 | 13.1-59.19 and later releases of 13.1 |
| Prior to 14.1-47.46 | 14.1-47.46 and later releases of 14.1 | |
| NetScaler ADC 13.1-FIPS and NDcPP | Prior to 13.1-37.236 | 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP |
Version 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.
Note that according to the security bulletin, “NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server” in order to be vulnerable to CVE-2025-6543.
Are Indicators of Compromise (IoCs) available?
According to the Citrix Cloud Software Group blog post, customers should contact Citrix customer support for updates on IoCs. We also recommend reviewing their blog post for further updates on both CVE-2025-5777 and CVE-2025-6543.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- Citrix Security Bulletin CTX693420 (CVE-2025-5777, CVE-2025-5349)
- Citrix Security Bulletin CTX694788 (CVE-2025-6543)
- CitrixBleed 2: Electric Boogaloo CVE-2025–5777
- ReliaQuest Blog: Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
- Tenable Blog: CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
- Tenable Blog: Frequently Asked Questions for CitrixBleed (CVE-2023-4966)
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Senior Staff Research Engineer, Security Response
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack Risks
The current geopolitical climate demands a proactive, comprehensive approach to cybersecurity. Here’s what you need to know — and how Tenable can help....
Frequently Asked Questions About Iranian Cyber Operations
Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors....
From Insight to Action: How Tenable One KPIs Drive Exposure Management Success
Tenable One empowers security teams to go beyond surface-level risk tracking and drive measurable improvements across their security programs. With unified visibility and customizable dashboards, Tenable One makes it easy to monitor the KPIs that matter most, helping teams shift from reactive firefi...
- Exposure Management
- Vulnerability Management
- Exposure Management