Critical Citrix NetScaler Flaw (CVE-2025-5777) – What NZ Businesses Need to Know

Citrix NetScaler (formerly known as Citrix ADC) is widely used to provide secure remote access. A newly disclosed vulnerability in these devices could let attackers read sensitive data straight from memory, and potentially gain access to your internal network. No login is needed.

What Is the Vulnerability?

A critical flaw, tracked as CVE-2025-5777, has been discovered in Citrix NetScaler ADC and Gateway. It lets attackers read arbitrary memory from affected devices without authentication. In simple terms, if your Citrix appliance is online and unpatched, an attacker can send it a crafted request and retrieve whatever is sitting in memory. This could include session tokens or confidential user data.

Because attackers do not need a username or password, this flaw is especially dangerous.

Why It Matters

CVE-2025-5777 is an out-of-bounds memory read issue, caused by poor input validation. Citrix is not properly checking incoming data, which allows attackers to trick the device into exposing memory that should remain private. The memory could include session tokens, which are digital keys that prove a user is logged in.

If an attacker grabs a session token, they can impersonate that user and access your systems. They do not need a password or to pass MFA. In effect, they can walk straight in.

A Mistake in the Original Advisory

When this CVE was first published on 17 June 2025, it claimed the bug only affected the management interface (the admin console). That made it seem like a lower risk, since best practice is to keep the admin interface off the internet.

But on 23 June, the CVE details were corrected. The vulnerability actually affects VPN Gateway and AAA virtual servers, which are the services exposed to the internet for remote access.

That changes everything. If your Citrix Gateway is exposed online and unpatched, your business is at risk.

Who's at Risk?

Any organisation running Citrix NetScaler ADC or Gateway to provide remote access could be affected. This includes those using:

• VPN virtual server

• ICA Proxy, CVPN or RDP Proxy

• AAA (authentication) virtual server

This is the standard setup for many businesses using Citrix to let staff or contractors log in remotely.

You do not need to make any mistakes to be targeted. Just being online and unpatched is enough. Tools like Shodan make it easy for attackers to find exposed Citrix systems.

• Globally, tens of thousands of NetScaler devices are exposed.

• In New Zealand, Shodan showed 196 potentially affected devices as of today.

If your Citrix system is online and not updated, assume it can be found and targeted by attackers.

What Could Happen?

The risks include:

• Data breaches. Attackers could access internal systems through Citrix, appearing as a legitimate user.

• Network compromise. Once inside, they could move to other systems or plant malware.

• Service outages. Even unsuccessful attacks could crash the device and take remote access offline.

Citrix says there are no known real-world attacks yet. But that was also true when the original CitrixBleed appeared. It was quickly exploited after disclosure.

This new flaw has a CVSS score of 9.3 (Critical), and Citrix has marked it as high priority.

How to Protect Your Business

The fix is straightforward. You need to patch. Citrix has released updates that remove the vulnerability.

Step 1: Check if You’re Affected

If your organisation uses Citrix NetScaler ADC or Gateway for remote access, and it is set up as a Gateway or AAA virtual server, then you are affected.

Step 2: Confirm Your Version

If you are using one of the following versions, you need to update:

• 14.1 → update to 14.1.43.56

• 13.1 → update to 13.1.58.32

• 13.1-FIPS or 13.1-NDcPP → update to 13.1.37.235

• 12.1-FIPS → update to 12.1.55.328

Older versions like 13.0 or 12.1 (standard) are end of life. They no longer receive patches. You will need to upgrade to a supported version to get the fix.

Step 3: Apply the Patch

Install the update as soon as possible. Citrix strongly recommends treating this as an emergency update.

Step 4: Terminate Active Sessions

After patching:

1. Reboot your appliance.

2. Run these commands to end all active user sessions:

kill icaconnection -all 

kill pcoipConnection -all

This is critical. It clears any session tokens that might have already been stolen.

Step 5: Monitor and Verify

Confirm your appliance is running the correct version. Monitor Citrix advisories and the NCSC NZ site for any updates. If possible, set up alerts for suspicious activity.

What If I Can’t Patch Right Now?

If patching immediately is not possible, you should:

• Restrict access to the Gateway to specific IP addresses

• Require a VPN to reach Citrix systems

• Disable remote access temporarily if feasible

These are only stopgaps. They may reduce risk, but do not fix the issue. Patching is the only reliable solution.

Final Thoughts

CVE-2025-5777 is a serious flaw that affects the remote access tools many NZ http://support.citrix.comsupport.citrix.combusinesses rely on. The original confusion about what was at risk has now been cleared up. The threat is real, and it affects the internet-facing Citrix Gateway.

If your system is unpatched and online, it can be found and exploited. The fix is available, and the instructions are clear.

If you are responsible for your organisation’s IT or security, this needs your attention. Patch your Citrix systems. End active sessions. Confirm you are no longer vulnerable.

Staying ahead of these kinds of threats is one of the most effective ways to prevent a serious breach.

Sources: 

• Citrix Security Bulletin - https://support.citrix.com

• NCSC NZ Advisory - https://ncsc.govt.nz

• NVD & Mitre CVE database - https://nvd.nist.gov

• Help Net Security - https://helpnetsecurity.com

• DoublePulsar (Kevin Beaumont) - https://doublepulsar.com

• Shodan analysis by security researchers - mikecybersec.medium.com.