Active exploitation detected on critical Citrix Netscaler vulnerability, according to research and verification by CISA
In a significant cybersecurity development, a critical vulnerability has been discovered in Citrix NetScaler ADC and Gateway systems, known as CVE-2025-5777. This vulnerability poses a significant risk to the security of federal civilian enterprises, according to Acting Executive Assistant Director for Cybersecurity Chris Butera.
The vulnerability, an out-of-bounds read caused by insufficient input validation, allows attackers to hijack user sessions and bypass authentication mechanisms, including multifactor authentication (MFA). Several cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have officially listed CVE-2025-5777 in their Known Exploited Vulnerabilities Catalog, indicating confirmed exploitation attempts in the wild.
Cyberattacks exploiting the new vulnerability began during the final week of June, and Akamai researchers have reported significant increases in scanning activity related to the exploitation of CVE-2025-5777. Researchers from Censys have identified at least 288 potentially vulnerable hosts as of July 8, and Piotr Kijewski, CEO at Shadowserver Foundation, has stated that his group has been seeing exploitation attempts of CVE-2025-5777 since June 26th.
Citrix has acknowledged active exploitation of an unrelated vulnerability in the same product, CVE-2025-6543. However, the company has not publicly acknowledged any such activity regarding CVE-2025-5777.
### Recommended Actions for Patching and Mitigation:
1. **Immediate Upgrading of Vulnerable Instances** Citrix strongly urges users operating affected NetScaler ADC and Gateway devices to immediately install the recommended builds released by Cloud Software Group. The fix requires upgrading to specific releases/builds that include the patch for CVE-2025-5777.
2. **Two-Step Remediation Process via NetScaler Console** - **Step 1:** Upgrade the vulnerable NetScaler instances using the NetScaler Console GUI, where vulnerable instances are listed and can be selected to "Proceed to upgrade workflow." - **Step 2:** Apply required configuration commands through a customizable built-in configuration template available in configuration jobs in the console.
3. **Terminate Active Sessions** To prevent session hijacking risks, Citrix recommends terminating active sessions after patching to mitigate further exploitation from previously hijacked session tokens.
4. **Monitor Security Advisories and Vendor Updates** Stay current with Cloud Software Group and Citrix advisories for any follow-up patches or mitigation strategies for related vulnerabilities like CVE-2025-6543, which often coincide in affected modules.
Organizations using Citrix NetScaler ADC or Gateway should immediately prioritize upgrading to the latest patched builds according to Citrix’s two-step remediation workflow and terminate active sessions to prevent ongoing exploitation due to CVE-2025-5777. This proactive patching and session management is essential to mitigate a critical and actively exploited vulnerability.
Citrix has defended its record of embracing security best practices, but the discovery of this vulnerability underscores the importance of vigilance in maintaining cybersecurity. CISA is urging all other organizations to patch their systems as well, emphasizing the urgency of addressing this critical security issue.
- The ongoing cybersecurity concern, CVE-2025-5777, poses a significant risk to organizations using Citrix NetScaler ADC and Gateway, as it allows for session hijacking and bypasses authentication mechanisms, even multifactor authentication (MFA).
- To mitigate the threat posed by this actively exploited vulnerability, it's crucial for organizations to prioritize upgrading to the latest patched builds according to Citrix's two-step remediation process and terminate active sessions to minimize the potential for further exploitation.
