Critical memory overread vulnerability in NetScaler ADC/Gateway allowing unauthenticated remote attackers to read sensitive memory contents including session tokens. Actively exploited in the wild with CISA KEV listing.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-06-17
Added to CISA KEV: 2025-07-10 23 DAYS BETWEEN CVE AND KEV
CVE-2025-5777, also known as "CitrixBleed 2," is a critical vulnerability affecting Citrix NetScaler ADC and Gateway systems [1][2].
Here's a breakdown of what is known about its exploitation:
1. Affected Applications/Services: The vulnerability primarily affects internet-facing NetScaler ADC and Gateway systems [3][4], especially when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server [5].
2. Active Exploitation: There is strong evidence of active exploitation in the wild [6][1], with reports indicating exploitation even before public proof-of-concept (PoC) exploits were released [1][7].
3. Attack Vectors and Exploitation Methods: - The vulnerability is an out-of-bounds read or memory overread due to insufficient input validation [8][6]. - This allows unauthenticated attackers to retrieve sensitive memory contents, including session tokens [9][10], enabling session hijacking and MFA bypass [10]. - Exploitation can also lead to remote code execution (RCE) and denial of service [11]. - Attackers identify internet-exposed NetScaler devices to exploit this vulnerability [4].
4. Targeted Attacks: The vulnerability has been leveraged in targeted attacks [12] and is associated with ransomware campaigns [13].
5. CISA KEV Status: CVE-2025-5777 was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on July 10, 2025 [13][14]. Federal Civilian Executive Branch (FCEB) agencies were required to implement mitigations by the end of July 11, 2025 [15].
6. Technical Details: - It is a pre-authentication remote memory disclosure vulnerability [16] with a CVSS score of 9.3 (Critical) [17]. - Exploitation involves identifying internet-exposed NetScaler devices and leveraging the memory leak to gain unauthorized access [4].
With PoC exploits for CVE-2025-5777 (aka CitrixBleed 2) now public and reports of active exploitation of the flaw since mid-June, you should check whether your Citrix NetScaler ADC and/or Gateway instances have been probed and compromised by attackers.
Citrix has fixed a critical vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway that's reminiscent of the infamous CitrixBleed flaw.
It addresses Initial Access tactics, with the primary technique being the Exploitation of Public-Facing Applications (T1190). Additionally ...
To exploit the CVE-2025-5777 vulnerability, cyber attackers first identify NetScaler devices exposed on the internet.
CVE-2025-5777 Detail. Description. Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ...