EXPEL BLOG

Security alert: Citrix NetScaler ADC and NetScaler Gateway vulnerabilities allow unauthorized access

· 2 MIN READ · AARON WALTON · JUN 28, 2025 · TAGS: MDR / SOC / Vulnerability / vulnerability prioritization

TL;DR

  • Citrix released two vulnerabilities (CVE-2025-5777 and CVE-2025-6543) that impact NetScaler ADC and NetScaler Gateway
  • When exploited, these vulnerabilities would allow a threat actor to gain unauthorized access to affected devices or steal sessions
  • We recommend patching these vulnerabilities and updating to more recent versions of the software as soon as possible

What happened?

On June 17, 2025, and June 25, 2025, Citrix released security bulletins for vulnerabilities CVE-2025-5777 and CVE-2025-6543, respectively, which impact NetScaler ADC and NetScaler Gateway. At the time of disclosure, Citrix observed threat actors exploiting CVE-2025-6543 but did not share indicators.

Why does it matter?

These are severe vulnerabilities and if properly exploited, would allow a threat actor to gain unauthorized access to affected devices, or steal sessions.

Additional research into CVE-2025-6543 reveals that adversaries can leverage it to deploy webshells for persistent access to Citrix devices.

Citrix updated CVE-2025-5777 on June 23, 2025, to clarify the type of access required to exploit the vulnerability. With this change, the community came to better understand that CVE-2025-5777 could expose user sessions similar to CVE-2023-4966 (Citrix Bleed).

What should you do right now?

While we’ve been monitoring the vulnerabilities since Citrix disclosed them, we’ve now observed activity we believe to be the result of exploitation of these vulnerabilities. Affected customers should patch vulnerable devices immediately.

For CVE-2025-5777, Citrix recommends that affected customers of NetScaler ADC and NetScaler Gateway install the relevant updated versions as soon as possible.

  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
  • NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS

Regarding CVE-2025-6543, Citrix urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

  • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support – https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue.

Additionally, Mandiant’s guidance from 2023 can further enable organizations investigating the activity. And this IOC scanner can help identify possible webshells from CVE-2025-6543 exploitation.

What’s next?

We’ll update this post with notable developments, but if you or your team have any additional questions regarding this vulnerability, or information regarding signs of exploitation, please contact us.