Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response

Published on: 09 07 2025

Author: Stormshield Customer Security Lab

2 minutes

A critical vulnerability impacting Citrix NetScaler has been reported. It has been assigned the reference CVE-2025- 5777 and a CVSS 3.1 score of 9.3.

It should be noted that proof of concept are publicly public. The following versions are impacted :

NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases,
NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1,
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP,
NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS.

Initial vector attack of the Citrix vulnerability

The vulnerability CVE-2025-5777 allows an unauthenticated attacker to retrieve a fragment of the server’s memory.

Technical details of the Citrix vulnerability

The vulnerability relies on a missing check for an empty parameter on a HTTP request. The appliance is vulnerable only if it is configured on Gateway mode (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

A memory fragment is leaked by the server. The attacker can resend as many request as he wants and therefore retrieve large amounts of data.

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

T1190: Exploit Public-Facing Application
T1005: Data from local system

How to protect against the Citrix vulnerability with Stormshield Network Security

Protection against CVE-2025-5777

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-5777 with the following IPS signature:

http:client:data.190: Exploitation of a Citrix Netscaler Memory Disclosure (CVE-2025-5777)

For this protection to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the Citrix vulnerability

It is highly recommended to update the Netscaler server to one of those versions:

NetScaler ADC and NetScaler Gateway 14.1-43.56,
NetScaler ADC and NetScaler Gateway 13.1-58.32,
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235,
NetScaler ADC 12.1-FIPS 12.1-55.328.

After the update, it is recommended to terminate all active ICA and PCoIP sessions:

kill icaconnection -all
kill pcoipConnection -all

Tags : Cybersecurity - by Stormshield

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]

About the author

Stormshield Customer Security Lab

Last articles

Security alert SAP CVE-2025-31324: Stormshield Products Response

30 04 2025

Security alert Next.js CVE-2025-29927: Stormshield Products Response

26 03 2025

Security alert CVE-2025-25064: Stormshield Products Response

20 02 2025

See all articles from Alert

Read more

Alert

30 04 2025 Security alert SAP CVE-2025-31324: Stormshield Products Response

Corporate

28 04 2025 Firewall robustness: a key factor in providing protection against cyberattacks

Opinion articles

21 04 2025 Cyber-risks in the water sector: modernise and segment to protect yourself