Citrix Vulnerabilities Evoke Unpleasant Memories

citrix

Citrix struggles with several critical vulnerabilities in Netscaler ADC and Gateway. Is a second “Citrix Bleed” debacle looming?

On June 17, Citrix shared an update about two vulnerabilities in Netscaler ADC and Gateway, namely CVE-2025-5349 and CVE-2025-5777. With CVSS scores of 8.7 and 9.3, these are critical security flaws. Citrix is rather sparse with details, but they involve “out-of-bounds” leaks that expose the memory of VPN servers to people who should not have access to it.

In true Murphy’s Law fashion, a third vulnerability has been added, CVE-2025-6543. This vulnerability also receives a high CVSS score (9.2) and should therefore not be taken lightly. Citrix also warns that the vulnerability is being actively exploited. This involves a memory overflow that can literally paralyze affected devices.

Affected Versions and Patches

The fact that Citrix openly communicates about the vulnerabilities means that a patch is available. The three vulnerabilities affect more or less the same versions of Netscaler ADC and Gateway:

  • Version 14.1 (older than 14.1-43.56)
  • Version 13.1 (older than 13.1-58.32)
  • NetScaler ADC 13.1-FIPS (older than 13.1-37.235-FIPS)
  • NetScaler ADC 12.1-FIPS (older than 12.1-55.328-FIPS)

Netscaler ADC 12.1 escapes CVE-2025-6543. Customers are advised to update their Netscaler devices as soon as possible to the versions in parentheses or newer. For full protection against CVE-2025-5349 and CVE-2025-5777, it is recommended to terminate active connections with a “kill” command.

Citrix Bleed 2?

With a patch and a warning, the matter is settled for Citrix. Do you have a déjà-vu after reading this article? You’re not alone. Security researcher Kevin Beaumont fears a new “Citrix Bleed” scenario.

In 2023, Citrix Netscaler was massively attacked due to a zero-day vulnerability. Tens of thousands of organizations suffered attacks for months after the flaw was discovered. A simple patch proved to be insufficient to solve the problem. The scale of these vulnerabilities is not yet known, but those who experienced Citrix Bleed two years ago should know to take swift action now.