By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
Computing

CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises

News Room
Last updated: 2025/07/11 at 1:30 AM
News Room Published 11 July 2025
Share
SHARE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.

The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It’s also called Citrix Bleed 2 owing to its similarities with Citrix Bleed (CVE-2023-4966).

“Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation,” the agency said. “This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.”

Cybersecurity

Although multiple security vendors have since reported that the flaw has been exploited in real-world attacks, Citrix has yet to update its own advisories to reflect this aspect. As of June 26, 2025, Anil Shetty, senior vice president of engineering at NetScaler, said, “there is no evidence to suggest exploitation of CVE-2025-5777.”

However, security researcher Kevin Beaumont, in a report published this week, said the Citrix Bleed 2 exploitation started as far back as mid-June, adding one of the IP addresses carrying out the attacks has been previously linked to RansomHub ransomware activity.

Data from GreyNoise shows that exploitation efforts are originating from 10 unique malicious IP addresses located in Bulgaria, the United States, China, Egypt, and Finland over the past 30 days. The primary targets of these efforts are the United States, France, Germany, India, and Italy.

The addition of CVE-2025-5777 to the KEV catalog comes as another flaw in the same product (CVE-2025-6543, CVSS score: 9.2) has also come under active exploitation in the wild. CISA added the flaw to the KEV catalog on June 30, 2025.

“The term ‘Citrix Bleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively ‘bleeding’ sensitive information,” Akamai said, warning of a “drastic increase of vulnerability scanner traffic” after exploit details became public.

“This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers. Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks.”

Because these appliances often serve as centralized entry points into enterprise networks, attackers can pivot from stolen sessions to access single sign-on portals, cloud dashboards, or privileged admin interfaces. This type of lateral movement—where a foothold quickly becomes full network access—is especially dangerous in hybrid IT environments with weak internal segmentation.

To mitigate this flaw, organizations should immediately upgrade to the patched builds listed in Citrix’s June 17 advisory, including version 14.1-43.56 and later. After patching, all active sessions—especially those authenticated via AAA or Gateway—should be forcibly terminated to invalidate any stolen tokens.

Admins are also encouraged to inspect logs (e.g., ns.log) for suspicious requests to authentication endpoints such as /p/u/doAuthentication.do, and review responses for unexpected XML data like <InitialValue> fields. Since the vulnerability is a memory overread, it does not leave traditional malware traces—making token hijack and session replay the most urgent concerns.

Cybersecurity

The development also follows reports of active exploitation of a critical security vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to deploy NetCat and the XMRig cryptocurrency miner in attacks targeting South Korea by means of PowerShell and shell scripts. CISA added the flaw to the KEV catalog in July 2024.

“Threat actors are targeting environments with vulnerable GeoServer installations, including those of Windows and Linux, and have installed NetCat and XMRig coin miner,” AhnLab said.

“When a coin miner is installed, it uses the system’s resources to mine the threat actor’s Monero coins. The threat actor can then use the installed NetCat to perform various malicious behaviors, such as installing other malware or stealing information from the system.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Write a book with the help of Youbooks AI Book Generator
Next Article The Best Proxy Services for 2025
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Samsung Galaxy Watch 8 vs Watch 8 Classic: What’s the difference?
Gadget
GitHub Next: how their research and prototyping team operates
News
South Africa’s Blue Label Telecoms to change name in major rebrand
Computing
Experts Compare Ruvi AI (RUVI) at $0.015 to Binance Coin’s (BNB) Early Days at $10, Audit and Bonuses Set It Up for a Breakout Year
Gadget

You Might also Like

Computing

South Africa’s Blue Label Telecoms to change name in major rebrand

4 Min Read
Computing

10 Miro Retrospective Templates to Improve Every Sprint

29 Min Read
Computing

How Gas Network’s “Capture the Gap” Game Is Tackling The $1 Billion On-Chain Efficiency Problem | HackerNoon

8 Min Read
Computing

AMD Radeon RX 9070 Ray-Tracing Performance Improving With Mesa 25.2

2 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?