Critical vulnerability in Citrix Netscaler raises specter of exploitation wave

A critical vulnerability in Citrix Netscaler is raising concerns that hackers will launch a wave of attacks rivaling or even surpassing the exploitation seen during the “CitrixBleed” crisis in 2023. 

The vulnerability, tracked as CVE-2025-5777, involves insufficient input validation, which can lead to memory overhead when Netscaler is configured as Gateway. The vulnerability has a severity score of 9.3. 

Security researchers said that while they have seen no active exploitation thus far, the vulnerability needs to be carefully monitored and they fully expect to see malicious actors take advantage of the flaw. 

“CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents,” Benjamin Harris, CEO at watchTowr, told Cybersecurity Dive via email. 

Harris noted that key details about the risk have quietly evolved since the initial disclosure, particularly regarding initial claims that the flaw was found in the less-exposed management interface. That language has now been removed, Harris said, making the vulnerability more dangerous than originally known.

Security researcher Kevin Beaumont also warned that the vulnerability could rival the exploitation risk seen during the original CitrixBleed crisis, which exploited a vulnerability tracked as CVE-2023-4966. 

The affected products are the same ones involved in the CitrixBleed event, which involved widespread nation-state and cyber-criminal exploitation, most prominently by the hacker gang dubbed LockBit 3.0.

Those attacks affected a number of prominent companies, including Boeing. 

The Cybersecurity and Infrastructure Security Agency released guidance on Tuesday urging critical infrastructure organizations to adopt the use of memory-safe programming languages, which can reduce the prevalence of similar vulnerabilities.

Cloud Software Group recently recommended that all customers immediately upgrade to secure versions of Netscaler ADC and Netscaler Gateway.

In a security bulletin on its help site, Citrix noted that versions 12.1 and 13.0 of the two affected products have reached end-of-life status and are vulnerable and need to be immediately upgraded.

Officials from the Australian Signals Directorate last week urged security teams to immediately upgrade their systems to secure versions of the two products.