Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw

Researchers warn that hackers are exploiting a critical vulnerability in Citrix Netscaler, prompting concerns about widespread threat activity reminiscent of the wave of ransomware and state-linked attacks against Citrix customers in 2023. 

The vulnerability, tracked as CVE-2025-5777, is caused by insufficient input validation, which can lead to memory overread when Netscaler is configured as a Gateway.

Researchers warned in June that the vulnerability was similar to the one involved in the 2023 crisis, when major enterprise customers using Citrix Netscaler faced hacks that continued even after they applied mitigation measures.

Cyberattacks exploiting the new vulnerability appear to have begun during the final week of June, but Citrix has not publicly acknowledged any such activity. 

“We have been seeing exploitation attempts of CVE-2025-5777 since June 26th,” said Piotr Kijewski, CEO at Shadowserver Foundation, who noted that his group’s findings are based on industry consensus.

The Cybersecurity and Infrastructure Security Agency on Thursday added CVE-2025-5777 to its catalog of known exploited vulnerabilities. 

Researchers at Akamai have reported significant increases in scanning activity that align with releases of proofs of concept from watchTowr, Project Discovery and other research firms. 

“We do see clear scanning and probing activity, but no definitive evidence of successful breach,” Akamai researcher Neeraj Pradeep said via email. 

Citrix released guidance to address the vulnerability in June and defended its record of embracing security best practices. The company also acknowledged active exploitation of CVE-2025-6543, an unrelated vulnerability in the same product.

Researchers from Censys told Cybersecurity Dive that they had seen at least 288 potentially vulnerable hosts as of July 8.