Thursday, June 26, 2025
Latest:
The Register

Citrix bleeds again: This time a zero-day exploited – patch now

TH Author

Hot on the heels of patching a critical bug in Citrix-owned Netscaler ADC and NetScaler Gateway that one security researcher dubbed “CitrixBleed 2,” the embattled networking device vendor today issued an emergency patch for yet another super-serious flaw in the same products — but not before criminals found and exploited it as a zero-day.

This new critical vulnerability, tracked as CVE-2025-6543, received a 9.2 severity score. It’s a memory overflow vulnerability that can lead to unintended control flow and denial of service when the affected security appliances are configured as a gateway virtual server or an authentication, authorization, and accounting (AAA) virtual server.

It affects:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP
  • End-of-life NetScaler ADC and Gateway versions 12.1 and 13.0 (NetScaler ADC 12.1-FIPS is not affected) 

And, according to the vendor, miscreants exploited CVE-2025-6543 as a zero-day vulnerability before Citrix fixed the flaw. 

“Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” according to a security bulletin.

Citrix did not respond to The Register‘s inquiries about the flaw, including how many devices have been compromised and what the intruders have done with their illicit access.

According to watchTowr CEO Benjamin Harris, however, the 9.2 critical CVSS rating and the fact that it was exploited as a zero-day indicate that the miscreants abusing this hole are doing more than just denial-of-service (DoS) attacks.

“The CVSS metrics reflect code execution or similar, not DoS as the most impactful outcome,” Harris told The Register. “Vulnerable appliances being observed to enter a ‘denial of service condition’ likely reflects failed exploitation, given the class of vulnerability being discussed here.

“As watchTowr has seen with other in-the-wild exploited vulnerabilities recently, the reality is, unfortunately, miserable,” he added. “Devices vulnerable right now may already be backdoored, and patching has not typically removed backdoors. We’ve seen this exact behavior with SAP NetWeaver, Ivanti’s EPMM, Fortinet Fortigate appliances and more.”

Citrix also has yet to respond to The Register‘s questions about the earlier critical vulnerability, CVE-2025-5777, which affects the same products and can be exploited remotely and without any authentication.

This earlier vuln could let an attacker read session tokens or other sensitive information in memory from NetScaler devices that are configured as a gateway or AAA virtual server, along the lines of what we saw with CitrixBleed back in 2023.

To prevent exploitation of CVE-2025-5777, organizations must not only upgrade their NetScaler software, but also terminate all active ICA and PCoIP sessions after upgrading.

Mandiant Consulting Chief Technology Officer Charles Carmakal pointed this out in a LinkedIn post urging Citrix customers to patch both vulnerabilities “immediately.”

“Many organizations did not terminate sessions when remediating a similar vulnerability in 2023 (CVE-2023-4966 aka ‘Citrix Bleed’),” Carmakal said. “In those cases, session secrets were stolen before companies patched, and the sessions were hijacked after the patch. Many of those compromises resulted in nation-state espionage or ransomware deployment.”

While we don’t have any indication that the earlier CVE-2025-5777 is under active exploitation, as Harris told The Register yesterday: “In-the-wild exploitation will happen at some point, and organizations should be dealing with this as an IT incident — exploitation is not a matter of if, but when.” ®

READ MORE HERE