Mastodon

A critical vulnerability impacting Citrix NetScaler has been reported. It has been assigned the reference CVE-2025- 5777 and a CVSS 3.1 score of 9.3.

It should be noted that proof of concept are publicly public. The following versions are impacted :

  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases,
  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1,
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP,
  • NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS.

 

Initial vector attack of the Citrix vulnerability

The vulnerability CVE-2025-5777 allows an unauthenticated attacker to retrieve a fragment of the server’s memory.

 

Technical details of the Citrix vulnerability

The vulnerability relies on a missing check for an empty parameter on a HTTP request. The appliance is vulnerable only if it is configured on Gateway mode (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

A memory fragment is leaked by the server. The attacker can resend as many request as he wants and therefore retrieve large amounts of data.

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190: Exploit Public-Facing Application
  • T1005: Data from local system

 

How to protect against the Citrix vulnerability with Stormshield Network Security

Protection against CVE-2025-5777

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-5777 with the following IPS signature:

  • http:client:data.190: Exploitation of a Citrix Netscaler Memory Disclosure (CVE-2025-5777)

For this protection to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the Citrix vulnerability

It is highly recommended to update the Netscaler server to one of those versions:

  • NetScaler ADC and NetScaler Gateway 14.1-43.56,
  • NetScaler ADC and NetScaler Gateway 13.1-58.32,
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235,
  • NetScaler ADC 12.1-FIPS 12.1-55.328.

After the update, it is recommended to terminate all active ICA and PCoIP sessions:

kill icaconnection -all
kill pcoipConnection -all

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]