Back to KEVs

CVE-2025-5777

NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread

Basic Information

CVE State
PUBLISHED
Reserved Date
June 06, 2025
Published Date
June 17, 2025
Last Updated
July 30, 2025
Vendor
NetScaler
Product
ADC, Gateway
Description
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

EPSS Score

Score
20.33% (Percentile: 95.26%) as of 2025-07-29

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-07-03 00:00:00 UTC) Source

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-04 12:00:14 UTC

Recent Mentions

Updates Since Previous Bulletin Technical details and proof-of-concept (PoC) exploit code were publicly released by watchTowr and Horizon3 in early July. CVE-2025-5777 was added to CISA’s Known Exploited Vulnerabilities Catalog on July 10. However, GreyNoise reports that exploitation occurred as early as two weeks before proof-of-concept exploit code was publicly available. Arctic Wolf has observed ... Follow-Up: Updates on Actively Exploited Information Disclosure Vulnerability “Citrix Bleed 2” in Citrix NetScaler ADC and Gateway (CVE-2025-5777)

Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks

Source: BleepingComputer • Published: 2025-07-17 23:37:34 UTC

A critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix stating that there was no evidence of attacks. [...]

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

Source: GreyNoise • Published: 2025-07-16 00:00:00 UTC

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4. 

CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

Source: BleepingComputer • Published: 2025-07-11 14:45:57 UTC

The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. [...]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild. The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that

Public exploits released for CitrixBleed 2 NetScaler flaw, patch now

Source: BleepingComputer • Published: 2025-07-07 22:57:37 UTC

Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens. [...]

Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now

Source: BleepingComputer • Published: 2025-07-07 22:57:37 UTC

Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens. [...]

CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?

Source: Horizon3.ai Attack Research • Published: 2025-07-07 13:29:17 UTC

Background and Confusion On June 17, 2025, Citrix published an advisory detailing CVE-2025-5777 and CVE-2025-5349. Affected products include: On June 25, 2025, they also published an advisory detailing CVE-2025-6543. Affected products include: Of the three vulnerabilities, two of them have been receiving a bit of buzz: While we’ve developed a working exploit for one of […]
Before you dive into our latest diatribe, indulge us and join us on a journey.Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, and

CVE-2025-5777

Source: Horizon3.ai Attack Research • Published: 2025-07-03 12:25:37 UTC

Citrix NetScaler Buffer Overread Vulnerability

Citrix Bleed 2 flaw now believed to be exploited in attacks

Source: BleepingComputer • Published: 2025-06-27 14:18:09 UTC

A critical NetScaler ADC and Gateway vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices. [...]
On June 23, 2025, Citrix updated the scope of a previously disclosed vulnerability—CVE-2025-5777—to clarify that it affects NetScaler devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. CVE-2025-5777, originally disclosed on June 17, is a critical-severity out-of-bounds read caused by insufficient input validation. It has been labeled ... CVE-2025-5777: Critical Information Disclosure Vulnerability “Citrix Bleed 2” in Citrix NetScaler ADC and Gateway

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5777.yaml 2025-07-05 09:00:20 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei