‘Critical’ Citrix NetScaler Vulnerability Now Seeing Exploitation: CISA
The U.S. cybersecurity agency ordered Federal Civilian Executive Branch agencies to implement fixes for the issue by end of day Friday.
A critical-severity vulnerability affecting two Citrix NetScaler products has seen exploitation in cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The flaw — tracked at CVE-2025-5777 — was added to CISA’s catalog of vulnerabilities known to have seen exploitation on Thursday. It impacts Citrix NetScaler ADC (Application Delivery Controller) and Citrix NetScaler Gateway.
[Related: Microsoft Discloses ‘Extraordinary’ Number Of Actively Exploited Vulnerabilities: Researcher]
Notably, CISA ordered Federal Civilian Executive Branch agencies to implement fixes for the issue by end of day Friday, suggesting a probability of further exploitation by threat actors.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an advisory about the vulnerability.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” the agency said.
The Citrix NetScaler vulnerability has received a “critical” severity rating of 9.3 out of 10.0.
Patches have been available from Citrix for the out-of-bounds read vulnerability since June 17, when the company issued an advisory that “strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
CRN has reached out to Citrix for further comment.
Well-known security researcher Kevin Beaumont has referred to the vulnerability as “CitrixBleed 2,” given similarities to the widely exploited “Citrix Bleed” flaw of 2023.
In a June 26 post, threat researchers from ReliaQuest reported having “medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.”