CVE-2025-5777
Published: 17 June 2025
Summary
CVE-2025-5777 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-5777 is an insufficient input validation flaw that produces a memory overread (CWE-125) on Citrix NetScaler appliances when they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The issue also involves use of uninitialized resources (CWE-908, CWE-457). It carries a CVSS 4.0 score of 9.3 and affects the NetScaler data plane when these specific virtual-server roles are active.
Unauthenticated remote attackers can send crafted requests over the network to trigger the overread, enabling them to disclose sensitive memory contents. Successful exploitation can yield session tokens, credentials, or other internal data that facilitate further compromise of the gateway or backend systems.
Citrix addresses the flaw in security bulletin CTX693420, which directs administrators to apply the listed firmware updates for the affected NetScaler versions. Public write-ups from Watchtowr and Horizon3, along with the dedicated citrixbleed.com site, detail the memory-disclosure mechanics and confirm that exploitation has been observed in the wild; CISA has added the CVE to its exploited-vulnerabilities catalog and required federal agencies to patch within one day. The EPSS score rose sharply from a low baseline to a peak of 0.8073 on 2026-02-03 before receding, indicating that active exploitation interest developed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18497
Vulnerability details
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
- CWE(s)
- KEV Date Added
- 10 July 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The memory overread vulnerability (CitrixBleed 2) in NetScaler Gateway (VPN, ICA/CVPN/RDP Proxy) and AAA virtual servers enables exploitation of public-facing applications and remote services (T1190, T1210), and facilitates credential dumping from process memory handling authentication (T1003).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the NetScaler Gateway/AAA virtual servers, blocking the crafted requests that trigger the memory overread.
Mandates rapid application of the vendor patch (CTX693420) that eliminates the insufficient input validation flaw being actively exploited.
Enforces boundary filtering and traffic inspection at the VPN/AAA virtual servers to drop unauthenticated malicious requests before they reach the vulnerable input paths.