CVE-2025-5777
CVE-2025-5777 is a high-severity vulnerability in Citrix Netscaler Application Delivery Controller with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-07-10). The underlying weakness is classified as CWE-908.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 9.3
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-07-10)
- EU (EUVD) id: EUVD-2025-18497
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-07-10)
- Weakness: CWE-908
- Affected product: Citrix Netscaler Application Delivery Controller
- Published:
- Last modified:
Description
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
CVE-2025-5777: CitrixBleed 2 — NetScaler Gateway Memory Disclosure
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVSS v3 | CVSS v4 | CWE | EPSS | KEV |
|---|---|---|---|---|---|
| CVE-2025-5777 | 7.5 (High) | 9.3 (Critical) | CWE-908 | 0.99897 | Yes (2025-07-10) |
Summary
CVE-2025-5777, commonly referred to as "CitrixBleed 2," is a memory-overread vulnerability in Citrix NetScaler ADC and Gateway appliances. When the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or an AAA virtual server, insufficient input validation on an exposed network path allows an unauthenticated attacker to read arbitrary memory from the appliance. This can disclose active session tokens, credentials, and other sensitive secrets, enabling session hijacking and lateral movement.
Background
In mid-2025, security researchers identified a successor to the 2023 CitrixBleed vulnerability (CVE-2023-4966). The new flaw—CVE-2025-5777—resides in the same request-handling path of NetScaler Gateway and AAA virtual servers. Unlike its predecessor, which was a buffer overflow, this variant is a memory overread caused by inadequate bounds checking on a network-facing request handler. The vulnerability has been actively exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on 10 July 2025. Threat-intelligence data also associates it with ransomware operations.
Root Cause
The vulnerability is classified as CWE-908: Use of Uninitialized Resource. Specifically, an input-validation gap in the request-handling logic for Gateway and AAA virtual servers allows a malformed request to reference memory beyond the intended buffer. Because the server does not properly constrain the request parameters before using them as an offset or size into heap memory, the response includes adjacent heap contents. The attacker never gains code execution on the appliance; instead, the flaw acts as a pure information-disclosure primitive.
Impact
- Confidentiality: CVSS v3 scores this metric as HIGH because the attacker can extract active session tokens, cookies, and other secrets from memory. The CVSS v4 vector reinforces this with VC:H/VI:H/VA:H (high impact on confidentiality, integrity, and availability of the vulnerable component), resulting in a CRITICAL 9.3 score.
- Integrity / Availability: The CVSS v3 base metrics show I:N/A:N (no direct impact on integrity or availability), but the practical risk is severe: hijacked sessions can be replayed to modify gateway configurations or pivot into the internal network.
- Scope: The attack requires NO privileges and NO user interaction, and the attack vector is NETWORK-accessible (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U).
- Exploitation: With an EPSS score of 0.99897 and active ransomware linkage, the probability of in-the-wild exploitation is effectively certain.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section is provided for defensive analysis only. Attempting to exploit this vulnerability against systems you do not own or have explicit permission to test is illegal and unethical.
From a defensive standpoint, the attack traffic is typically characterized by:
- Unauthenticated TLS connections to the Gateway or AAA virtual server.
- A malformed request with an oversized or crafted parameter that triggers the memory-overread path.
- Abnormally large server responses that contain high-entropy data (session tokens, cookies, or memory artifacts) rather than expected HTML or JSON.
- Rapid, repeated requests from the same source IP, often cycling through different offsets or request shapes to harvest memory pages.
- Noisy session-log entries showing a large number of authentication failures or truncated responses, because the attacker is probing rather than logging in.
Because the attack is unauthenticated and network-based, any internet-facing NetScaler Gateway or AAA virtual server is a direct target. The appliance does not log the leaked memory contents, so forensic recovery of the exact data disclosed requires packet captures or TLS inspection.
Affected and Patched Versions
The official Citrix security advisory (CTX693420) should be consulted for the definitive list of affected firmware versions and fixed releases. Based on the CPE data associated with this CVE, the following product lines are known to be impacted:
- Citrix NetScaler Application Delivery Controller (ADC) — all deployment types including FIPS and nDCPP variants
- Citrix NetScaler Gateway
Organizations should verify whether their appliances are configured as:
- Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), or
- AAA virtual server
If either role is active, the appliance is in the vulnerable attack surface. The specific patched firmware versions are not available in the source data; refer to the Citrix support link below for the latest hotfixes and build numbers.
Remediation
- Upgrade firmware immediately to a version covered by Citrix’s security advisory. Because this vulnerability is under active ransomware exploitation, patching should be treated as an emergency change.
- Apply compensating controls while patching is queued:
- Restrict network access to the Gateway/AAA virtual server to known IP ranges or VPN concentrators.
- Enable TLS inspection or forward proxy logging to detect abnormal response sizes.
- Increase WAF/virtual-server rule strictness to block malformed requests that match known exploit patterns.
- Rotate all session tokens and credentials that may have traversed the affected appliance since the earliest known exploitation date (mid-June 2025, per open-source reporting).
- Review gateway configuration backups to ensure no unauthorized changes were made via hijacked administrative sessions.
Detection
- Network monitoring: Watch for large outbound TLS record sizes from the NetScaler to external clients, especially when the client sent a very small request. IDS/IPS signatures for this specific exploit pattern may be available from your vendor.
- Session-log analysis: Flag sessions that show repeated connection attempts from the same IP without ever completing a successful authentication.
- Memory-dump scanning: If a forensic image of the appliance is available, look for session-cookie strings and credential artifacts in non-standard heap regions.
- Threat-intelligence feeds: Correlate source IPs with known exploit-in-the-wild indicators (IOCs) published by CISA, Horizon3, and WatchTowr.
Assessment
- EPSS / KEV context: With an EPSS of 0.99897 and a KEV listing date of 2025-07-10, this vulnerability is one of the highest-probability exploitation risks on the internet today. The presence of ransomware linkage means that unpatched appliances are likely to be targeted for credential theft and follow-on encryption.
- Lessons: (1) Memory-safe request parsing remains critical for network appliances; even a read-only memory disclosure can be catastrophic when the leaked data includes session-bound secrets. (2) Rapid patch cycles for edge-gateway appliances are non-negotiable—attackers begin scanning within days of public disclosure, as seen here with exploitation starting in mid-June 2025 before the KEV entry.
References
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- https://citrixbleed.com
- https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
- https://www.bleepingcomputer.com/news/security/cisa-tags-citrix-bleed-2-as-exploited-gives-agencies-a-day-to-patch/
- https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
- https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
- https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-5777
Frequently asked questions
- What is CVE-2025-5777?
- Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
- How severe is CVE-2025-5777?
- CVE-2025-5777 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2025-5777 being actively exploited?
- Yes. CVE-2025-5777 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-07-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-5777?
- CVE-2025-5777 primarily affects Citrix Netscaler Application Delivery Controller. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-5777?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-5777 have an EU (EUVD) identifier?
- Yes. CVE-2025-5777 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-18497. It is also flagged as exploited in the EUVD (since 2025-07-10).
- When was CVE-2025-5777 published?
- CVE-2025-5777 was published on 2025-06-17 and last updated on 2026-06-17.
References
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- https://citrixbleed.com
- https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
- https://www.bleepingcomputer.com/news/security/cisa-tags-citrix-bleed-2-as-exploited-gives-agencies-a-day-to-patch/
- https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
- https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
- https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-5777
Affected products (4)
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
- cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
- cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
More vulnerabilities in Citrix Netscaler Application Delivery Controller
- CVE-2014-2882 — Critical (CVSS 10.0): Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler…
- CVE-2014-2881 — Critical (CVSS 10.0): Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in…
- CVE-2026-8655 — Critical (CVSS 9.8): Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous…
- CVE-2026-8452 — Critical (CVSS 9.8): Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and…
- CVE-2026-3055 — Critical (CVSS 9.8): Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading…
- CVE-2025-7776 — Critical (CVSS 9.8): Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC…
All CVEs affecting Citrix Netscaler Application Delivery Controller →
Other CWE-908 (Use of Uninitialized Resource) vulnerabilities
- CVE-2025-1942 — Critical (CVSS 9.8): When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated…
- CVE-2024-47540 — Critical (CVSS 9.8): GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable…
- CVE-2024-32611 — Critical (CVSS 9.8): HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
- CVE-2023-24941 — Critical (CVSS 9.8): Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-26437 — Critical (CVSS 9.8): In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation…
- CVE-2021-45703 — Critical (CVSS 9.8): An issue was discovered in the tectonic_xdv crate before 0.1.12 for Rust. XdvParser::<T>::process may read from…
Browse all CWE-908 (Use of Uninitialized Resource) vulnerabilities →