A critical vulnerability impacting Citrix NetScaler has been reported. It has been assigned the reference CVE-2025- 5777 and a CVSS 3.1 score of 9.3.
It should be noted that proof of concept are publicly public. The following versions are impacted :
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases,
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1,
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP,
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS.
Initial vector attack of the Citrix vulnerability
The vulnerability CVE-2025-5777 allows an unauthenticated attacker to retrieve a fragment of the server’s memory.
Technical details of the Citrix vulnerability
The vulnerability relies on a missing check for an empty parameter on a HTTP request. The appliance is vulnerable only if it is configured on Gateway mode (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
A memory fragment is leaked by the server. The attacker can resend as many request as he wants and therefore retrieve large amounts of data.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1190: Exploit Public-Facing Application
- T1005: Data from local system
How to protect against the Citrix vulnerability with Stormshield Network Security
Protection against CVE-2025-5777
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-5777 with the following IPS signature:
- http:client:data.190: Exploitation of a Citrix Netscaler Memory Disclosure (CVE-2025-5777)
For this protection to be efficient, the traffic must be decrypted.
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the Citrix vulnerability
It is highly recommended to update the Netscaler server to one of those versions:
- NetScaler ADC and NetScaler Gateway 14.1-43.56,
- NetScaler ADC and NetScaler Gateway 13.1-58.32,
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235,
- NetScaler ADC 12.1-FIPS 12.1-55.328.
After the update, it is recommended to terminate all active ICA and PCoIP sessions:
kill icaconnection -all
kill pcoipConnection -all